funsec mailing list archives
Re: facebook messages worm
From: "John C. A. Bambenek, GCIH, CISSP" <bambenek.infosec () gmail com>
Date: Thu, 7 Aug 2008 11:44:59 -0500
But there is *SOME* benefit. Granted, many unsophisticated users don't check the location bar to verify that they are actually at, say, citibank.com. But some do. I would think the same is true for e-mail, someone would notice this "Facebook" message isn't from facebook. Of course, since no authentication is required to submit PGP keys (unless this has changed) that might not necessarily be true, but that's a process question, not a technology one. (i.e. verify the e-mail before allowing someone to submit a key for that email). For more important messages, such as say, communication from federal courts (which also include clickable links), you could easily right spam-filter rules that look for these highly formatted messages and verify they are, in fact, signed from the US courts. A thought. But yes, it's incrementalism. Sometimes that's all we have. On Thu, Aug 7, 2008 at 11:29 AM, <Valdis.Kletnieks () vt edu> wrote:
On Thu, 07 Aug 2008 10:58:07 CDT, "John C. A. Bambenek, GCIH, CISSP" said:Has anyone heard of digital signatures for e-mail? :)Well, this RFC probably counts as "prior art" 20 years ago: 0989 Privacy enhancement for Internet electronic mail: Part I: Message encipherment and authentication procedures. J. Linn. February 1987. (Format: TXT=63934 bytes) (Obsoleted by RFC1040, RFC1113) (Status: UNKNOWN The *real* problem is that digital signatures for E-mail work in *exactly the same way* and provide *the same protection* as SSL does for the Web. Yes, that's the problem, not the solution statement.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: [Full-disclosure] facebook messages worm Juha-Matti Laurio (Aug 06)
- Re: facebook messages worm Gadi Evron (Aug 06)
- Re: facebook messages worm Martin Tomasek (Aug 07)
- Re: facebook messages worm Gadi Evron (Aug 07)
- Re: facebook messages worm John C. A. Bambenek, GCIH, CISSP (Aug 07)
- Re: facebook messages worm Valdis . Kletnieks (Aug 07)
- Re: facebook messages worm John C. A. Bambenek, GCIH, CISSP (Aug 07)
- Re: facebook messages worm der Mouse (Aug 07)
- Re: facebook messages worm Valdis . Kletnieks (Aug 07)
- Re: facebook messages worm der Mouse (Aug 07)
- Re: facebook messages worm Martin Tomasek (Aug 07)
- Re: facebook messages worm Gadi Evron (Aug 06)