Security Basics mailing list archives
Re: Why is that when an E-Mail is sent via an E-Mail client it's altered, but not if it's sent via the web site?
From: Christos Triantafyllidis <ctria () physics auth gr>
Date: Fri, 20 Jan 2006 22:06:50 +0200
Hi,The problem is that something is added or removed to the mail after it is signed. By "mail" i mean the full mail (with headers). Some headers are not contained in the signature (like the "delivered to" headers) because it is normal to be added after the signature but others (like subject or a footnote in message body advertising a service (common in free email services)) should not be changed after the signature.
Common email clients SHOULD NOT create such problems. Homemade on the other hand...
Christos Triantafyllidis Ebeling, Jr., Herman Frederick wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok, I've got a question for everyone. That is why is it that when one sends a signed E-Mail through an E-Mail client that it gets "altered" somewhere along the way rendering the signature as "bad?" Yet, when one sends a signed E-Mail via the web site that it doesn't? Such as this one, I just about guarantee that once it's received, and then passed onto the subscribers that it'll have the following MSG: *** PGP SIGNATURE VERIFICATION *** *** Status: Bad Signature *** Alert: Signature did not verify. Message has been altered. *** Signer: Herman Frederick Ebeling Jr. <hfebelingjr () lycos com> (0xDB13DBD3) *** Signed: 11-Jan-06 12:15:55 AM *** Verified: 17-Jan-06 7:00:16 PM *** BEGIN PGP VERIFIED MESSAGE *** I've also notice this happening with more then one of the groups at Yahoo, as well. Herman Live Long and Prosper ___________________ _-_ \==============_=_/ ____.---'---`---.____ \_ \ \----._________.----/ \ \ / / `-_-' __,--`.`-'..'-_ /____ ||- `--.____,-' -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQ82FWx/i52nbE9vTEQKBhQCg2XDb/stRHQW12YMwwc2o1CcK1RwAoJg6 lK7dl86CyCP2z6hS+205h8Jm =2I7A -----END PGP SIGNATURE----- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Openvpn and ssh Juan B (Jan 16)
- Re: Openvpn and ssh Baptiste Malguy (Jan 17)
- Re: Openvpn and ssh Nick Owen (Jan 17)
- Why is that when an E-Mail is sent via an E-Mail client it's altered, but not if it's sent via the web site? Ebeling, Jr., Herman Frederick (Jan 20)
- Re: Why is that when an E-Mail is sent via an E-Mail client it's altered, but not if it's sent via the web site? Jeffrey F. Bloss (Jan 20)
- RE: Why is that when an E-Mail is sent via an E-Mail client it's altered, but not if it's sent via the web site? Ebeling, Jr., Herman Frederick (Jan 20)
- Re: Why is that when an E-Mail is sent via an E-Mail client it's altered, but not if it's sent via the web site? Christos Triantafyllidis (Jan 20)
- RE: Why is that when an E-Mail is sent via an E-Mail client it's altered, but not if it's sent via the web site? Ebeling, Jr., Herman Frederick (Jan 20)
- RE: Why is that when an E-Mail is sent via an E-Mail client it's altered, but not if it's sent via the web site? Ebeling, Jr., Herman Frederick (Jan 23)
- Why is that when an E-Mail is sent via an E-Mail client it's altered, but not if it's sent via the web site? Ebeling, Jr., Herman Frederick (Jan 20)
- Re: Openvpn and ssh NewYork User (Jan 20)