On Sun, Jul 11, 1999 at 02:05:18PM +0000, ___Viper___ _ wrote: > "Having the option" never hurt anyone. > You can produce SDAs, and use them if you wish, > AND you can NOT open executables that arrived in > your mailbox and you don't trust. Yes, you can. Unfortunately, people in general does not tend to have such good securitypractices. Encryption is a step towards better security, but using encryption that forces the receiver to execute a possibly malicious program based only upon trust in the sender, and that the message was not modified on its way over the Internet is a real problem.. Maybe it would help with a program that verifies that a program really is an SDA, but that sort makes the whole idea of an SDA rather useless. What was appealing with an SDA in the first place was that the receiver of an SDA did not have to have PGP to decrypt the file. Even when you have ultimate trust on the sender, and even when yoy have verified that the sender did send a message containing an SDA, you can not be sure. The message may have been modified on its way.. This could of course be easily verified if the message was PGP signed, but since there (fortunately!) still is no such thing as Self Verifying E-mail the receiver would have to have PGP, and therefore a normal PGP encrypted archive could have been sent instead! "Having the option" does not hurt the advanced users that are aware of the potential securitythreats. They probably already have PGP, and hopefully would not trust, or send, an SDA. SDAs are appealing to many, who thinks using an encryption-program is too complicated. The point-and-click generation of computer (l)users that is. Security has become a buzz-word nowadays though, so many would probably like the idea of using encryption without the fuzz. For this group of people, encryption implies security, they will probably have more trust in an SDA than a "regular" executable (of course, there is no real difference). > It's madness to say that it is a "security threat". > With your logic, e-mailing is a security threat as well ;-) > Who knows what you can send over e-mail ! Embedded code in anything but programs (scripts included) is a threat. ̉ne should be able to know exactly which files that contains executable code. With Unix, that is usually any executables, the kernel and system libraries. With Windows, the limits expand every day it seems. > Take care, > V. -- Joel Eriksson Security Consultant
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:05 PDT