Educause Security Discussion mailing list archives
Re: New SANS Discount Programs to Educational Centers
From: Dave Koontz <dkoontz () MBC EDU>
Date: Mon, 1 Dec 2003 18:15:29 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 S/MIME and PGP/MIME Based Message Signing has always been a "no-no" on ANY listserv I've ever been on for this very reason. You will notice that most users post with an inline PGP/GnuPG signature (like I've done here) ... IF and when they desire verification. Even vendors use this inline method when posting security patch notices to their own lists. Just about every list adds disclaimer text or taglines to messages posted to them. Given these common alterations, you may want to re-think your MIME based message signing to something more universal and forgiving, such as PGP/GnuPG inline signing. Thwate and Verisign MIME signatures are great, but not for signing list messages. Just my 1/2 cent worth.... <g> - -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of H. Morrow Long Sent: Monday, December 01, 2003 4:46 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] New SANS Discount Programs to Educational Centers On Dec 1, 2003, at 10:10 AM, David Escalante wrote:
Just thought I'd mention that Mozilla 1.5 reports your X.509
signature
as "broken" for this message. It notes that the signature does
not
match the message content correctly, and that the message appears
to
have been altered since sending. This is conceivable if some majordomo-ish software munged the headers or something, but if
that's
what happened, then there's no point in signing messages to lists. Interesting. Have you run into this before? -- David Escalante Director of Computer Security Boston College
David -- The mailing list software which EDUCAUSE is using is modifying the message sent to some degree -- and actually any small amount of modification at all will throw off the crypto 'signing' of the MIME parts. I've checked the 'sent' message in my 'out box' and the signature on it is fine and can be verified. Yes, I've run into List s/w modifying e-mail messages before (e.g. by appended lines to the posted messages) then breaking the digital signatures (you can get around this by only tacking on info as part of the RFC822 headers which should be 'outside' the digital signature for the message). The major change that the list s/w is making inside the MIME message parts is inserting a tagline for the Educause discussion groups -- e.g. the two lines: **********\$ Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. But the list software is also reformatting "whitespace" in the message as well (changing leading tabs to spaces and removing trailing spaces). Here is a 'diff' between the message I sent and what I received from the list ( the RFC822 headers have been removed as well as the trailing S/MIME sig) to demonstrate : [net248-80:/tmp] morrow% diff one two | vis -l 3c3\$ < boundary=Apple-Mail-1--870838275\$ - ---\$
boundary=Apple-Mail-1--870838275\$
9,10c9,10\$ < charset=US-ASCII;\$ < format=flowed\$ - ---\$
charset=US-ASCII;\$ format=flowed\$
12c12\$ < I received the following targeted e-mail from SANS (Note: I have no \$ - ---\$
I received the following targeted e-mail from SANS (Note: I have
no\$ 14c14\$ < I know that many of us in higher ed participate in SANS training as \$ - ---\$
I know that many of us in higher ed participate in SANS training
as\$ 17c17\$ < SANS is offering two new discounted packages specifically to .edu \$ - ---\$
SANS is offering two new discounted packages specifically to
.edu\$ 23c23\$ < 2. General end-user online SANS Security Awareness Training @ $1 per \$ - ---\$
2. General end-user online SANS Security Awareness Training @ $1
per\$ 26c26\$ < H. Morrow Long, Director - Information Security Office, ITS, Yale \$ - ---\$
H. Morrow Long, Director - Information Security Office, ITS,
Yale\$ 83a84,86\$
**********\$ Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at http://www.educause.edu/cg/.\$
\$
87c90\$ < charset=US-ASCII\$ - ---\$
charset=US-ASCII\$
204c207\$ < Brian Correia \$ - ---\$
Brian Correia\$
208c211\$ < SANS Institute \$ - ---\$
SANS Institute\$
210c213\$ < www.sans.org / brian () sans org \$ - ---\$
www.sans.org / brian () sans org\$
[net248-80:/tmp] morrow% - - H. Morrow Long Director - Information Security Yale University, ITS On Dec 1, 2003, at 10:10 AM, David Escalante wrote:
Just thought I'd mention that Mozilla 1.5 reports your X.509
signature
as "broken" for this message. It notes that the signature does
not
match the message content correctly, and that the message appears
to
have been altered since sending. This is conceivable if some majordomo-ish software munged the headers or something, but if
that's
what happened, then there's no point in signing messages to lists. Interesting. Have you run into this before? -- David Escalante Director of Computer Security Boston College ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 iD8DBQE/y8pvAUCyJXrX9WkRAsroAJ4touu6L7//p9fKBr+2cQ42onNrdQCgt7Ve pw0QpgCc9c1tsrO+gNpXCpQ= =vnSq -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- New SANS Discount Programs to Educational Centers H. Morrow Long (Nov 25)
- <Possible follow-ups>
- Re: New SANS Discount Programs to Educational Centers David Escalante (Dec 01)
- Re: New SANS Discount Programs to Educational Centers H. Morrow Long (Dec 01)
- Re: New SANS Discount Programs to Educational Centers Jefferson, Ronnie V. (Dec 01)
- Re: New SANS Discount Programs to Educational Centers Joe St Sauver (Dec 01)
- Re: New SANS Discount Programs to Educational Centers Dave Koontz (Dec 01)
- Re: New SANS Discount Programs to Educational Centers Jefferson, Ronnie V. (Dec 01)
- Re: New SANS Discount Programs to Educational Centers H. Morrow Long (Dec 01)
- Re: New SANS Discount Programs to Educational Centers JS Gluck (Dec 02)
- Re: New SANS Discount Programs to Educational Centers Jefferson, Ronnie V. (Dec 02)