Full Disclosure mailing list archives

Re: Re: E-Mail viruses

From: Jorge Daza <jorge () naranet biz>
Date: Sun, 7 Mar 2004 22:38:53 +0100


Hello,

why not solve the problem the way it is handled in other environments ?

We have two people that do not necessarily trust each other, and they
want to share a file. We can create trusted third parties to verify
origin, store and maybe even analyze the file.

A the receiver
B the sender
C the trusted third party

A trusts C, C trusts A
B trusts C, C trusts B

B sends an email to C with the file digitally signed. C stores, and
analyzes (not really helpful, as I don't think we can trust analyzers)
the file and sends a new digitally signed message to A, with
either the file or a pointer to the file stored in a trusted location.

A decides whether she wants to follow the pointer or leave the file in
storage. Whenever we stop trusting either A or B the third party can
stop trusting them leaving the trusting chain still secure.

The trusted third party can be inside or outside the company, but we
decide who is the people we really want to accept attachments from.

This solves some problems that could arise with other solutions. For
example, if we have a secret extension, it is shared by all employees...
that means, any time an employee leaves the company we have to change
the secret for everybody. Not good.

Other problem that comes to my mind, weak shared secrets might solve the
problem in some way for spreading massive viruses but not for directed
attacks. In those cases probably the attacker is already reading the
email of some or all of the employees, thus she surely knows the secret
extension. Even if the attacker can't read the email, lets consider the
strength of a secret that is sent plaintext on every message. Not good.

Of course this solution can be too complex for home users, that can
still rely on crypto, but not to receive attachments from people they
don't even know.

But I guess it could be implemented in bussiness environments.

My two cents.

Best wishes,

Jorge

-- 
Jorge Daza - jorge () naranet biz - GPG key available
----------   -----------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Re: E-Mail viruses, (continued)
- - - Re: Re: E-Mail viruses Nick FitzGerald (Mar 08)
    - RE: [inbox] Re: Re: E-Mail viruses Curt Purdy (Mar 09)
    - Re: [inbox] Re: Re: E-Mail viruses gadgeteer (Mar 05)
    - RE: [inbox] Re: Re: E-Mail viruses Patrick Nolan (Mar 05)
    - Re: [inbox] Re: Re: E-Mail viruses Nick FitzGerald (Mar 05)
    - RE: [inbox] Re: Re: E-Mail viruses Aditya, ALD [Aditya Lalit Deshmukh] (Mar 07)
    - RE: [inbox] Re: Re: E-Mail viruses Nick FitzGerald (Mar 07)
    - Re: [inbox] Re: Re: E-Mail viruses Jorge Daza (Mar 07)
    - Re: [inbox] Re: Re: E-Mail viruses Nick FitzGerald (Mar 07)
    - Re: [inbox] Re: Re: E-Mail viruses Sam Sharpe (Mar 08)
  - Re: Re: E-Mail viruses Jorge Daza (Mar 07)
- Re: E-Mail viruses Incident List Account (Mar 05)
  - RE: [inbox] Re: E-Mail viruses Curt Purdy (Mar 05)
- Re: Re: E-Mail viruses Paul Szabo (Mar 05)
  - Re: Re: E-Mail viruses docco (Mar 06)
    - Re: Re: E-Mail viruses Curt Purdy (Mar 06)
    - Re: Re: E-Mail viruses Eddie (Mar 06)
    - RE: Re: E-Mail viruses Aditya, ALD [Aditya Lalit Deshmukh] (Mar 08)
    - Re: Re: E-Mail viruses docco (Mar 08)
    - Re: Re: E-Mail viruses Bruno Wolff III (Mar 08)
- Re: Re: E-Mail viruses MacDougall, Shane (Mar 06)

(Thread continues...)