Vulnerability Development mailing list archives
Re: PGP Signed Messages
From: "Dennis V. Kudin" <kudin () bezpeka com>
Date: Wed, 17 Oct 2001 11:53:39 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Monday, October 15, 2001, 5:27:33 PM, you wrote:
It occurred to me today what a bad idea the Comment Field is in PGP signed messages. Altering the Comment filed does not affect the validity of the signature, but to the non experienced PGP/GPG user it certainly appears to be part of the message.
The risk depends on the way of signature verification. I can give a simple example when such "comment field" can really spoof the unexperienced user: Mail client: TheBat! with PGP 6.0.x/6.5.x plug-in installed. When you check PGP signature of some message, it DOESN'T show up the text of verified message. It only says whether the signature is good or bad, shows the name of mailer, signer, validity status and date/time. So, in any case you read the whole text of signed message including all fields. ____________________________________________ Sincerely, Dennis V. Kudin Ukrainian Information Security Center Coordinator of Internet-portal BEZPEKA e-mail: kudin () bezpeka com web-sites: http://www.bezpeka.com http://www.bezpeka.net http://www.bezpeka.org phone: +380-612-12-92-83 fax: +380-612-12-92-82 -----BEGIN PGP SIGNATURE----- Version: PGP 6.5i iQA/AwUBO805DTRm6ItERtt2EQJFEACfa0N+e2SsKiGH/PTc1FSzUQ/QoUQAnRBJ jQck+9JcZBrA4FofFVwPk1C/ =fYAo -----END PGP SIGNATURE-----
Current thread:
- PGP Signed Messages [Segmen] (Oct 15)
- RE: PGP Signed Messages Ben Setnick (Oct 15)
- Re: PGP Signed Messages prime evil (Oct 15)
- Re: PGP Signed Messages Kurt Seifried (Oct 15)
- Re: PGP Signed Messages Stephen Waters (Oct 15)
- Re: PGP Signed Messages Phil Cracknell (Oct 16)
- Re: PGP Signed Messages Jack Lloyd (Oct 16)
- Re: PGP Signed Messages Kurt Seifried (Oct 17)
- Re: PGP Signed Messages White Vampire (Oct 15)
- Re: PGP Signed Messages Wraith Slayer (Oct 15)
- Re: PGP Signed Messages Dennis V. Kudin (Oct 17)
- <Possible follow-ups>
- Re: PGP Signed Messages [Segmen] (Oct 15)
- Re: PGP Signed Messages Peter Gutmann (Oct 17)