[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Execution of signed scripts received by e-mail



On Sat, 13 Jul 1996, Steffen Zahn wrote:

> I suggest ignoring Reply-To: etc and requiring a return address inside
> the signed region of the mail, otherwise someone could intercept the mail
> (suppressing the original) and resend it from his account and the results
> would get sent to the interceptor.

I agree.  Having a return address outside the signature allows for denial-of-
service attacks and it would be trivial to intercept the output of the script.
Definitely not a Good Thing.

>  Another idea would be to extract the return address from the PGP userid
> which signed the script.

There are a couple of problems with this idea:

	- The security of this scheme depends on trusting the user to sign her
	key.  If the user doesn't, than an attacker can intercept the user's
	key and alter the key ID.

	- Even if the user does sign her key, there is still the problem of
	an attacker being able to generate a key with an identical key ID and
	and a different user ID.  If the attacker has the ability to intercept
	and modify messages, a MITM attack would be very effective.  If the
	key's fingerprint was included in the signed message, an MITM attack
	would be necessary to subvert the system.

If the key's fingerprint is included in the message, then it certainly wouldn't
take much more effort to put a return address in the signed body of the
message.

-- Mark

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[email protected]              | finger -l for PGP key 0xe3bf2169
http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348
"Freedom is the freedom to say that two plus two make four.  If that
is granted, all else follows."  --George Orwell, _1984_

PGP signature