Full Disclosure mailing list archives
Re: Re: E-Mail viruses
From: Jorge Daza <jorge () naranet biz>
Date: Sun, 7 Mar 2004 22:38:53 +0100
Hello, why not solve the problem the way it is handled in other environments ? We have two people that do not necessarily trust each other, and they want to share a file. We can create trusted third parties to verify origin, store and maybe even analyze the file. A the receiver B the sender C the trusted third party A trusts C, C trusts A B trusts C, C trusts B B sends an email to C with the file digitally signed. C stores, and analyzes (not really helpful, as I don't think we can trust analyzers) the file and sends a new digitally signed message to A, with either the file or a pointer to the file stored in a trusted location. A decides whether she wants to follow the pointer or leave the file in storage. Whenever we stop trusting either A or B the third party can stop trusting them leaving the trusting chain still secure. The trusted third party can be inside or outside the company, but we decide who is the people we really want to accept attachments from. This solves some problems that could arise with other solutions. For example, if we have a secret extension, it is shared by all employees... that means, any time an employee leaves the company we have to change the secret for everybody. Not good. Other problem that comes to my mind, weak shared secrets might solve the problem in some way for spreading massive viruses but not for directed attacks. In those cases probably the attacker is already reading the email of some or all of the employees, thus she surely knows the secret extension. Even if the attacker can't read the email, lets consider the strength of a secret that is sent plaintext on every message. Not good. Of course this solution can be too complex for home users, that can still rely on crypto, but not to receive attachments from people they don't even know. But I guess it could be implemented in bussiness environments. My two cents. Best wishes, Jorge -- Jorge Daza - jorge () naranet biz - GPG key available ---------- ----------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: E-Mail viruses, (continued)
- Re: Re: E-Mail viruses Nick FitzGerald (Mar 08)
- RE: [inbox] Re: Re: E-Mail viruses Curt Purdy (Mar 09)
- Re: [inbox] Re: Re: E-Mail viruses gadgeteer (Mar 05)
- RE: [inbox] Re: Re: E-Mail viruses Patrick Nolan (Mar 05)
- Re: [inbox] Re: Re: E-Mail viruses Nick FitzGerald (Mar 05)
- RE: [inbox] Re: Re: E-Mail viruses Aditya, ALD [Aditya Lalit Deshmukh] (Mar 07)
- RE: [inbox] Re: Re: E-Mail viruses Nick FitzGerald (Mar 07)
- Re: [inbox] Re: Re: E-Mail viruses Jorge Daza (Mar 07)
- Re: [inbox] Re: Re: E-Mail viruses Nick FitzGerald (Mar 07)
- Re: [inbox] Re: Re: E-Mail viruses Sam Sharpe (Mar 08)
- RE: [inbox] Re: E-Mail viruses Curt Purdy (Mar 05)
- Re: Re: E-Mail viruses docco (Mar 06)
- Re: Re: E-Mail viruses Curt Purdy (Mar 06)
- Re: Re: E-Mail viruses Eddie (Mar 06)
- RE: Re: E-Mail viruses Aditya, ALD [Aditya Lalit Deshmukh] (Mar 08)
- Re: Re: E-Mail viruses docco (Mar 08)
- Re: Re: E-Mail viruses Bruno Wolff III (Mar 08)