Bugtraq mailing list archives

Re: PGP 6.5.1 has been released

From: jen () ETTNET SE (Joel Eriksson)
Date: Tue, 13 Jul 1999 11:23:58 +0200


On Sun, Jul 11, 1999 at 02:05:18PM +0000, ___Viper___ _ wrote:

"Having the option" never hurt anyone.
You can produce SDAs, and use them if you wish,
AND you can NOT open executables that arrived in
your mailbox and you don't trust.


Yes, you can. Unfortunately, people in general does not tend to have such
good securitypractices. Encryption is a step towards better security, but
using encryption that forces the receiver to execute a possibly malicious
program based only upon trust in the sender, and that the message was not
modified on its way over the Internet is a real problem..

Maybe it would help with a program that verifies that a program really is
an SDA, but that sort makes the whole idea of an SDA rather useless. What
was appealing with an SDA in the first place was that the receiver of an
SDA did not have to have PGP to decrypt the file.

Even when you have ultimate trust on the sender, and even when yoy have
verified that the sender did send a message containing an SDA, you can
not be sure. The message may have been modified on its way..

This could of course be easily verified if the message was PGP signed,
but since there (fortunately!) still is no such thing as Self Verifying
E-mail the receiver would have to have PGP, and therefore a normal PGP
encrypted archive could have been sent instead!

"Having the option" does not hurt the advanced users that are aware of the
potential securitythreats. They probably already have PGP, and hopefully
would not trust, or send, an SDA.

SDAs are appealing to many, who thinks using an encryption-program is too
complicated. The point-and-click generation of computer (l)users that is.
Security has become a buzz-word nowadays though, so many would probably
like the idea of using encryption without the fuzz.

For this group of people, encryption implies security, they will probably
have more trust in an SDA than a "regular" executable (of course, there is
no real difference).

It's madness to say that it is a "security threat".
With your logic, e-mailing is a security threat as well ;-)
Who knows what you can send over e-mail !


Embedded code in anything but programs (scripts included) is a threat.
Òne should be able to know exactly which files that contains executable
code. With Unix, that is usually any executables, the kernel and system
libraries. With Windows, the limits expand every day it seems.

Take care,
V.


--
Joel Eriksson
Security Consultant

Current thread:

PGP 6.5.1 has been released Cody Brownstein (Jul 06)
- Re: PGP 6.5.1 has been released Nick_ (Jul 07)
- Security Bulletins Digest aleph1 () UNDERGROUND ORG (Jul 08)
- <Possible follow-ups>
- Re: PGP 6.5.1 has been released Steven M. Bellovin (Jul 07)
  - Re: PGP 6.5.1 has been released Kenneth Albanowski (Jul 12)
- Re: PGP 6.5.1 has been released ___Viper___ _ (Jul 11)
  - Re: PGP 6.5.1 has been released Mark Wooding (Jul 13)
- Re: PGP 6.5.1 has been released Joel Eriksson (Jul 13)