[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Applicability of signed messages as proof of sending

To: Richard Laager <rlaager@xxxxxxxxxx>
Subject: Re: Applicability of signed messages as proof of sending
From: Ben Laurie <ben@xxxxxxxxxxxxx>
Date: Sun, 14 Aug 2005 16:42:19 +0100
Cc: ietf-openpgp@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
References: <> <> <> <> <> <> <> <> <>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)

Richard Laager wrote:

I'll admit that MITM attacks are rare and sophisticated, but if you're
not guarding against them, the only take you prevent is casual snooping
on the wire. If you're only going to worry about casual snooping, you
could just as well use rot13 as your "encryption". (Granted, I'm
exaggerating a little, but why bother with something as complex and
secure as OpenPGP to prevent casual snooping.) Your points about
keyloggers, etc. are very valid.

I wish we could kill this myth that MitM is "rare and sophisticated". On wireless networks, they are common and trivial.

On wired networks they are easy for the network admins to mount. The practice is sufficiently commonplace that many corps have their own CA keys in employees' browsers so they can forge X509 certs.

Keylogging is a _much_ harder attack to mount.

Cheers,

Ben.

--
>>>ApacheCon Europe<<<                   http://www.apachecon.com/

http://www.apache-ssl.org/ben.html http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Follow-Ups:
- Re: Applicability of signed messages as proof of sending
  - From: Ian G

References:
- Draft Minutes of OpenPGP
  - From: Derek Atkins
- Re: Draft Minutes of OpenPGP
  - From: Ian Grigg
- Re: Draft Minutes of OpenPGP
  - From: Len Sassaman
- Re: Draft Minutes of OpenPGP
  - From: Ian G
- Re: Draft Minutes of OpenPGP
  - From: Len Sassaman
- Applicability of signed messages as proof of sending
  - From: Ian G
- Re: Applicability of signed messages as proof of sending
  - From: Len Sassaman
- Re: Applicability of signed messages as proof of sending
  - From: Ian G
- Re: Applicability of signed messages as proof of sending
  - From: Richard Laager

Prev by Date: Re: "The OpenPGP mail and news header" extenssion
Next by Date: Re: "The OpenPGP mail and news header" extenssion
Previous by thread: Re: Applicability of signed messages as proof of sending
Next by thread: Re: Applicability of signed messages as proof of sending
Index(es):
- Date
- Thread