Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Ademar de Souza Reis Jr. (ademarconectiva.com.br)
Date: Wed Oct 24 2001 - 09:38:58 CDT
When you receive a PGP signed message on mutt (a very popular text
based mail client), there are some ways you know it's signed:
1. The flags "s" or "S" in the message index (and in the bottom of a msg)
2. A message like "PGP signature successfully verified" in the bottom when
opening a message
3. A *highlighted* message body with the gpg output (example given below)
[-- PGP output follows (current time: Tue 23 Oct 2001 05:10:41 PM BRST) --]
gpg: Warning: using insecure memory!
gpg: Signature made Tue 23 Oct 2001 04:35:11 PM BRST using DSA key ID 825F1270
gpg: Good signature from "Ademar de Souza Reis Junior <ademarconectiva.com.br>"
[-- End of PGP output --]
[-- The following data is signed --]
[-- End of signed data --]
The point here is that since the most notorious one is (3), you can
copy&paste it in a message body (change times and some details) and
let mutt users think a message is signed when it's not.
In fact, I did it here in the company I work for. Since almost everybody
uses mutt in my department, it was easy to send a message with the
"From: " adultered and "signed" as the boss. (Yes, the boss didn't like
it, but he understood since I explained it was a "proof of concept") :)
Yes, you can consider this just a "human mistake", a "social exploit"
or whatever you want, but I think mutt could help avoiding that easily:
It could highlight the text only when it cames from gpg and not
every time it appears in the message body
It could interact with gpg in some other (better) way.
[put your solution here]
BTW, does that "vulnerability" applies to other mail clients too?