Re: CRIME Fake Microsoft Security Bulletins making the rounds

From: Alan (alan@private)
Date: Thu Apr 14 2005 - 18:44:47 PDT


On Thu, 2005-04-14 at 09:51 -0700, Gary Driggs wrote:
> Craig wrote:  
> > The method with the most assurance is to check the PGP signature at
> > the bottom of each Microsoft message.  However, if you don’t have
> > PGP you can verify each hyperlink actually goes to a Microsoft site.
> > You can also analyze the email headers to validate that each one
> > came from a Microsoft site.  I use Sam Spade, which is a suite of
> > tools.  One of the Sam Spade tools will analyze email headers and
> > tell you whether the information is potentially a forgery. 
> > 
> > 
> > 
> 
> Are you getting their public key from a trusted key ring or another
> trusted source at Microsoft? It's trivial for me to sign my messages
> @microsoft.com but if there's not a trusted 3rd party involved to
> validate my key, you can't verify that I'm really a Microsoft
> employee. This is why, in my opinion, S/MIME is safer for email
> signing because setting up your own Certificate Authority is a
> non-trivial task.

Actually it is pretty easy.  Getting it accepted by the client is
another thing.  But why do that when you can just use social engineering
on the CA?  (Which happened with Verisign a few years back. They issued
a couple of certs with Microsoft's name on them.)

You also have to have a client that supports S/MIME.  Not all mail
clients do at this point.

PGP/GPG uses a "web of trust".  Since the people I trust are probably
different than the people you trust, it uses a chain of certifications.
It is not one monolithic CA, but a bunch of little ones.  

Unfortunately there is no widely accepted scheme to say "this key only
applies to X".  If there was such a thing, someone would patent it and
extort money out of everyone, guaranteeing that it would never gain
acceptance.

-- 
"When a student reads in a math book that there are no absolutes,
suddenly every value he's been taught is destroyed. And the next thing
you know, the student turns to crime and drugs." - Mel Gabler - Censor



This archive was generated by hypermail 2.1.3 : Sat Apr 16 2005 - 00:17:12 PDT