Re: PGP Signed Messages

["[Segmen]" <dontpanic999 () yahoo com>]

yep, my thoughts exactly... i see no reason why the comment shouldnt be
included when generating the signature.

agreed that anyone with any experience with PGP will spot this instantly,
and confirm their suspicions by verifying the Message, but
someone with little experience, or maybe even someone in a rush, who simply
reads the message then confirms the valid the signature
may miss this, which admittedly i have done sometimes for non-essential
mails ;o) , could possibly be tricked by this.

> From some of the replies i have received it seems that GPG is not vulnerable
to this trick.

--
PGP Key ID : 0x897D43BA
SDF Public Access UNIX System - http://sdf.lonestar.org
----- Original Message -----
From: "jms" <jms () uic edu>
To: "[Segmen]" <dontpanic999 () yahoo com>
Sent: Monday, October 15, 2001 9:13 PM
Subject: RE: PGP Signed Messages


> Here's my perspective as someone who has never used PGP.
>
> I would examine the message and probably conclude
> that the message is in some sort of PGP multi-part
> message, sort of like a multi-part MIME message,
> and that I was seeing the unparsed headers.
>
> If you had written "P.S.  Please send the confidential ..."
> instead of "Please ...", that would probably be enough
> to convince me that I had "figured it out", because
> I've seen similar email where the author adds additional
> message text as a mime attachment to the original message.
>
> Of course, the PGP check would show the message to be authentic ...
>
> I would certainly agree that at the very least the contents of the
> comment should be included in computing the signature.
>
> > ===== Original Message From "[Segmen]" <dontpanic999 () yahoo com> =====
> > It occurred to me today what a bad idea the Comment Field is in PGP
signed
> > messages. Altering the Comment filed does not affect the validity of the
> > signature, but to the non experienced PGP/GPG user it certainly appears
to
> > be part of the message.
> >
> > Example :
> >
> > A generic message I could have got hold of :
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hello, meeting cancelled, speak to you soon.
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 7.0.4
> >
> > iQA/AwUBO8r9v9nrfc+JfUO6EQLrEACgv6+C07aWgAO+Dna0MHgEDaoDMxEAoJ2P
> > 7gojqeCRqKqTkbFMkHCToxtq
> > =lki3
> > -----END PGP SIGNATURE-----
> >
> > I could change this to :
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hello, meeting cancelled, speak to you soon.
> >
> > -----BEGIN PGP SIGNATURE-----
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Please Send the Confidential Files from the planned meeting to
> > My colleague Instead at me () host com . He will now be dealing with
> > this matter.
> > Speak to you soon, victim.
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 7.0.3
> >
> > iQA/AwUBO8r9v9nrfc+JfUO6EQLrEACgv6+C07aWgAO+Dna0MHgEDaoDMxEAoJ2P
> > 7gojqeCRqKqTkbFMkHCToxtq
> > =lki3
> > -----END PGP SIGNATURE-----
> >
> > well, you get the idea. The signature is still valid.
> >
> > Agreed that only the beginner crypto user would fall for this, but if
they
> > were to read the message and then just use PGP to check the validity,
they
> > could be tricked into believing that the extra lines were part of the
> > verified message.
> > Does anybody else think this is quite a bad idea?
> >
> >
> > --
> > PGP Key ID : 0x897D43BA
> > SDF Public Access UNIX System - http://sdf.lonestar.org
> > UKChat - http://www.ukchat.com
> >
> >
> >
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com