Anonymous wrote:
A scenario:
1) The spooks put a bug (named Eve) on the link between kiwi.cs.berkeley.edu and the Internet.
Whenever kiwi.cs.berkeley.edu sents out the pubring.pgp Eve intercepts it and replaces it with a file of the spooks' choosing. This file will selectively replace the public pgp keys of some of the remailers (say exon) in pubring.pgp with keys to which the spooks know the private key.
2) A similar bug is put on the link between the exon remailer and the internet. All email to exon is intercepted, and if found to be encrypted with the spooks' PGP key, it is decrypted, saved, re-encrypted with exon's real PGP key and sent on.
It is only a scenario. I am still using premail to send this.
A good scenario. A truly paranoid premail users should verify who signed the remailer keys. If you trust the signators and they signed the keys, you are "safe". Just do pgp -kvv some@remailer.com and see what comes up. Maybe remailer operators should asks someone reputable to sign their remailers' keys so that the users can easily verify the signatures. - Igor.
Igor Chudov @ home wrote: [Anonymous's remailer key spoofing attack]
A good scenario. A truly paranoid premail users should verify who signed the remailer keys.
Unfortunately, in far too many cases, the answer has been "nobody." This is something I've whined about before. -rich
ichudov@algebra.com (Igor Chudov @ home) wrote:
Anonymous wrote:
A scenario:
1) The spooks put a bug (named Eve) on the link between kiwi.cs.berkeley.edu and the Internet.
......
A good scenario. A truly paranoid premail users should verify who signed the remailer keys. If you trust the signators and they signed the keys, you are "safe". Just do pgp -kvv some@remailer.com and see what comes up.
Maybe remailer operators should asks someone reputable to sign their remailers' keys so that the users can easily verify the signatures.
Yes, that is one part of it. Another part is that Raph should include a public PGP key in the premail program and then sign both the remailer-list and the pubring at kiwi.cs.berkeley.edu with it. The public key included in premail should be 1) Used to sign the premail distribution itself. 2) Emailed to various mailing lists such as cypherpunks and also mirrored at various internet sites, so it cannot be spoofed by spooks.
Big Moma wrote:
ichudov@algebra.com (Igor Chudov @ home) wrote:[...]
Maybe remailer operators should asks someone reputable to sign their remailers' keys so that the users can easily verify the signatures.
Yes, that is one part of it. Another part is that Raph should include a public PGP key in the premail program and then sign both the remailer-list and the pubring at kiwi.cs.berkeley.edu with it.
Those resources are automatically generated by programs running on a machine of unverified security on the Internet. A PGP signature doesn't mean much in such a situation. -rich
rcgraves@disposable.com (Rich Graves) wrote:
Big Moma wrote:
ichudov@algebra.com (Igor Chudov @ home) wrote:[...]
Maybe remailer operators should asks someone reputable to sign their remailers' keys so that the users can easily verify the signatures.
Yes, that is one part of it. Another part is that Raph should include a public PGP key in the premail program and then sign both the remailer-list and the pubring at kiwi.cs.berkeley.edu with it.
Those resources are automatically generated by programs running on a machine of unverified security on the Internet. A PGP signature doesn't mean much in such a situation.
Agreed. Considering that the remailer chains were designed to withstand such sofisticated attacks as traffic analysis, it is too bad the tool which most people probably use to access the remailers is vulnerable to a simple spoofing attack such as this. I just realized that the spooks do not really need multiple Mallories. If they want to wiretap a particular person, a Mallory on his/her Internet link is all that is needed. This Mallory can spoof both the incoming pubring.pgp and the outgoing encrypted mail. I suggest that if the `cypherpunks write code' motto has still any value, we discuss ways to eliminate this vulnerability from premail. Maybe we should take the discussion to cryptography, or coderpunks, or even premail-dev?
participants (4)
-
Big Moma -
ichudov@algebra.com -
Liz Taylor -
Rich Graves