Topics

Cryptographic signatures


 

I just got a bounce that the other topic was locked. I'd like to
recommend the use of cryptographic signatures as a means to be
reasonably assured of the sender's legitimacy.

The recent thread is all the more reason to use tools such as
cryptographic signatures where possible, IMO. Unfortunately, some
amateur radio mailing lists block signed messages and I must send
messages to those lists in the clear (all of the Linux related lists I
subscribe to accept signed messages). Now, a cryptographic signature
does not prevent someone from spoofing my email address, but if it's a
direct mail from me and it's not signed like this one is, then the
recipient can be assured that it wasn't from me.

The spoofing of email addresses is a problem but it doesn't necessarily
mean that an account was cracked. However, when using a cryptographic
signature, the spoof is easily identified as the spoofer should not have
access to the private key used to sign the email nor should he know the
password to unlock the private key for signing. An email client program
will check the signed message against the public key which is often
available from a public key server and verify the signature.

72, Nate

--

"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."

Web: https://www.n0nb.us GPG key: D55A8819 GitHub: N0NB


 

Looking at the parent message my email client, neomutt, reports a bad
signature. Apparently, this is not unique to this list but I get the
same result from other groups.io lists as well. Sigh...

72, Nate

--

"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."

Web: https://www.n0nb.us GPG key: D55A8819 GitHub: N0NB


WA4EFS
 

Just so everyone knows, if a messages starts with “Dearest, …” it’s not from me!

 

J Lloyd (WA4EFS)

 


AD0QM <jeff@...>
 

The problem with mailing lists is the contents gets mangled while being sent out by the mailing list software. If the list has different max widths than you when signing you can get bad results. Signing really only works when the thing you sign is an attachment. It's been the biggest complaint about PGP style email signatures next to how to build your web of trust.

When I use PGP for sending emails I only get consistent results by sending a message saying "Please see attachment for contents of message" and never using PGP for mailing lists.

Jeff

PS I'm sure the signature on this response will come up bad too.


On June 30, 2019 10:47:34 AM CDT, Nate Bargmann <n0nb@...> wrote:
Looking at the parent message my email client, neomutt, reports a bad
signature. Apparently, this is not unique to this list but I get the
same result from other groups.io lists as well. Sigh...

72, Nate


 

As I understand it now, Groups.io munges the email body by inserting its
own footer at the end of the message. Since the cryptographic signature
does not include this extra text, the signature test fails with the
result being a bad signature. The footer, as Groups.io calls it, cannot
be removed as mentioned in the FAQ at the bottom of this page:

https://groups.io/g/GroupManagersForum/wiki/Footers

I am subscribed to many other lists, mostly about Linux or software
development on Linux and all pass the signed data correctly. Even our
club mailing list hosted on QTH.net passes it correctly and adds a footer
that is separate from the signed message body.

Anyway, I wanted to close this thread and say that what I thought would
be a useful tool for us is made useless by the mailing list host.

72, Nate

--

"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."

Web: https://www.n0nb.us GPG key: D55A8819 GitHub: N0NB


Tommy Gober
 

Unless money is changing hands, why bother with signatures?
Most of the emails sent are just yak and opinions. If I don't like it or care, I delete. If someone's going to the trouble of spoofing an email from you, emailing erroneous opinions to the email list is probably not their target.

If you're making a deal with someone to buy/sell things, then it might be worth considering.
For moderately priced items (dollar amounts I'd be really sad to completely lose), I'll want a phone call or check that your email is the same one I'm sending money to via PayPal (and that you've used that address for some time).


On Sun, Jun 30, 2019 at 10:09 AM Nate Bargmann <n0nb@...> wrote:
I just got a bounce that the other topic was locked.  I'd like to
recommend the use of cryptographic signatures as a means to be
reasonably assured of the sender's legitimacy.

The recent thread is all the more reason to use tools such as
cryptographic signatures where possible, IMO.  Unfortunately, some
amateur radio mailing lists block signed messages and I must send
messages to those lists in the clear (all of the Linux related lists I
subscribe to accept signed messages).  Now, a cryptographic signature
does not prevent someone from spoofing my email address, but if it's a
direct mail from me and it's not signed like this one is, then the
recipient can be assured that it wasn't from me.                                                                   

The spoofing of email addresses is a problem but it doesn't necessarily
mean that an account was cracked.  However, when using a cryptographic
signature, the spoof is easily identified as the spoofer should not have
access to the private key used to sign the email nor should he know the
password to unlock the private key for signing.  An email client program
will check the signed message against the public key which is often
available from a public key server and verify the signature.

72, Nate

--

"The optimist proclaims that we live in the best of all
possible worlds.  The pessimist fears this is true."

Web: https://www.n0nb.us  GPG key: D55A8819  GitHub: N0NB




 

* On 2019 09 Jul 12:36 -0500, Tommy Gober wrote:
Unless money is changing hands, why bother with signatures?
Most of the emails sent are just yak and opinions. If I don't like it or
care, I delete. If someone's going to the trouble of spoofing an email from
you, emailing erroneous opinions to the email list is probably not their
target.
Hi Tommy.

Those of us who remember MS-DOS and other early systems can recall not
needing a username or password to simply use our computer. It was a bit
perturbing to have to do that when I first started learning Linux almost
23 years ago. Eventually Microsoft made user accounts a part of their
systems and now it is second nature. Likewise, the use of SSL on the
WWW via the HTTPS protocol started out as a means to protect financial
transactions and now browsers may complain if a site doesn't use SSL.
The world is gravitating toward a greater use of cryptography even for
trivial things.

Here I'm not even advocating for the use of encryption, just signatures.
I agree that most of our communication is of little interest outside of
the QRP segment of the amateur radio hobby, but those who wish to play
on and against our good will couldn't care less.

If you're making a deal with someone to buy/sell things, then it might be
worth considering.
For moderately priced items (dollar amounts I'd be really sad to completely
lose), I'll want a phone call or check that your email is the same one I'm
sending money to via PayPal (and that you've used that address for some
time).
I understand your point. I want to be sure that others know and can be
reasonably certain via a signature check that it's really me offering
some item for sale or offering to purchase some item. Beyond that, I
want the same for all my electronic communications, trivial or not,
because it is no fun when people believe something was sent when it was
really due to a spoof. After that happened to me once, I chose to nip
in the bud rather than hope it wouldn't happen again on a larger scale.
I am active on quite a number of mailing lists and would like to avoid
any loss of good will that may exist. My mail program made it
reasonably easy to set up automatically signing my mail, so I do so.

I am disappointed that the powers that be of groups.io have chosen to
break this very basic way a lot of us that use email extensively to
protect ourselves from spoofing. As I may have noted earlier, there are
at least two lists I subscribe to that reject signed mail. This is
unfortunate and so I mostly just read them and do not participate as
much. Regardless, so long as the various lists on groups.io don't
reject my signed mail outright, I will continue to send signed mail.

72/73, Nate

--

"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."

Web: https://www.n0nb.us
Projects: https://github.com/N0NB
GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819