Bugtraq mailing list archives
Re: PGP 6.5.1 has been released
From: jen () ETTNET SE (Joel Eriksson)
Date: Tue, 13 Jul 1999 11:23:58 +0200
On Sun, Jul 11, 1999 at 02:05:18PM +0000, ___Viper___ _ wrote:
"Having the option" never hurt anyone. You can produce SDAs, and use them if you wish, AND you can NOT open executables that arrived in your mailbox and you don't trust.
Yes, you can. Unfortunately, people in general does not tend to have such good securitypractices. Encryption is a step towards better security, but using encryption that forces the receiver to execute a possibly malicious program based only upon trust in the sender, and that the message was not modified on its way over the Internet is a real problem.. Maybe it would help with a program that verifies that a program really is an SDA, but that sort makes the whole idea of an SDA rather useless. What was appealing with an SDA in the first place was that the receiver of an SDA did not have to have PGP to decrypt the file. Even when you have ultimate trust on the sender, and even when yoy have verified that the sender did send a message containing an SDA, you can not be sure. The message may have been modified on its way.. This could of course be easily verified if the message was PGP signed, but since there (fortunately!) still is no such thing as Self Verifying E-mail the receiver would have to have PGP, and therefore a normal PGP encrypted archive could have been sent instead! "Having the option" does not hurt the advanced users that are aware of the potential securitythreats. They probably already have PGP, and hopefully would not trust, or send, an SDA. SDAs are appealing to many, who thinks using an encryption-program is too complicated. The point-and-click generation of computer (l)users that is. Security has become a buzz-word nowadays though, so many would probably like the idea of using encryption without the fuzz. For this group of people, encryption implies security, they will probably have more trust in an SDA than a "regular" executable (of course, there is no real difference).
It's madness to say that it is a "security threat". With your logic, e-mailing is a security threat as well ;-) Who knows what you can send over e-mail !
Embedded code in anything but programs (scripts included) is a threat. Òne should be able to know exactly which files that contains executable code. With Unix, that is usually any executables, the kernel and system libraries. With Windows, the limits expand every day it seems.
Take care, V.
-- Joel Eriksson Security Consultant
Current thread:
- PGP 6.5.1 has been released Cody Brownstein (Jul 06)
- Re: PGP 6.5.1 has been released Nick_ (Jul 07)
- Security Bulletins Digest aleph1 () UNDERGROUND ORG (Jul 08)
- <Possible follow-ups>
- Re: PGP 6.5.1 has been released Steven M. Bellovin (Jul 07)
- Re: PGP 6.5.1 has been released Kenneth Albanowski (Jul 12)
- Re: PGP 6.5.1 has been released ___Viper___ _ (Jul 11)
- Re: PGP 6.5.1 has been released Mark Wooding (Jul 13)
- Re: PGP 6.5.1 has been released Joel Eriksson (Jul 13)