[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: all xterms

On Wed, Nov 03, 1999 at 12:55:40PM -0500, Daniel Burrows wrote:
> > >   [2] Yes, if you have a small path (/bin:/usr/bin:/usr/local/bin) this isn't `
> > >      likely to be a problem, but hardcoding the path will be equally secure on
> > >      all setups including those with unholy default paths ;-).
> > 
> > It wont be secure cause I wont be able to check signature's validity
> > if I install pgp to /usr/local/ or /opt/ or any else place in the $PATH
> > This is bad for security.
>   Uh, yes you can check signatures.  Just tell it where to look.

Sorry for this example, but my soul is dark and full of criminal ideas.

`which pgp'
`which gpg'
`cat /etc/Muttrc|grep p?gpg?'
and a few tests more
now he knows what to do now

admin have someone's key and uses mutt

*EVIL CRACKER* sends him a mail from someone admin knows good
with faken info. This mail is signed with *A WRONG KEY*

there is >50% chance than admin wont bother to check mail by
pgp from command line. Most of them have motto of
'I will fix it tommorow'(here:it = mutt) and believe that if someone
signed mail it is validly signed

he uses the wrong info and makes security hole

*EVIL CRACKER* exploits this hole

This will need a good expert on social engeenering and some luck
but it is a *little* security hole

Reply to: