Relevance of e-mail (was [OT] Why are you using the GPG / PGP keys?)
Henry Hertz Hobbit
hhhobbit at securemecca.net
Wed May 29 01:00:06 CEST 2013
On 05/28/2013 04:32 PM, Peter Lebbing wrote:
> Personally, I /am/ interested in why people use their keys (the original
> question), and not in the relevance of e-mail.
I use OpenPGP to sign my downloads for others. Everybody
using my stuff are either French, Belgian, or Canadian
French. The Linux people DO use the detached signature
files to verify that some hacker didn't sneak in and whack
things. Don't laugh. The hackers HAVE hit my web-site and
despite the fact I don't use SQL it doesn't mean that SQL
isn't on the multi-homed web-server. The hackers did do
damage to some of my pages and will probably continue to
do so. The hackers are interested in replacing the downloads
with some copycat that would say, block legitimate web-sites
and allow infecting web-sites through. The web-site damage
I am referring to is NOT done by just some infected PC sending
SQL attack packets to web-sites at random. These attacks
are done on purpose by a person / people. So OpenPGP detached
signatures DO help. Why replace my downloads with false
downloads if the verification fails. I will know immediately
if my .profile or .bashrc files or other relevant files
have been tampered with.
It would be nice for other blockers to use OpenPGP enciphered
email messages where we discuss bad web-sites since an email
scanner WILL block the message. Encrypting attachments with
7-Zip's AES-128 is messy and time consuming. IOW, I have a
need for both OpenPGP enciphered email AND OpenPGP signed
email messages because hackers have attacked me and will
continue to attack. Hackers have sent messages purportedly
from these other people. But I know their sending IP
addresses and do check these suspicious messages. But that
is time consuminmg so an OpenPGP signed message would
go a long way to ease my mind. I got the very same
malicious link in an email message that took down Google
several years ago. The only differnce is that I use
Thunderbird with no HTML rendering for my main email despite
having four web-mail accounts. The spear attack looked
amateurish to me. But if Google and others would have
used OpenPGP signed messages regularly, until the keys
are stolen and the pass-phrase sniffed, OpenPGP signed
mails CAN enhance security.
Whether people recognize it or not, many of the Linux
distros use OpenPGP signatures in *.deb, *.rpm and other
update files to verify that they really did come from where
they are purportedly from. More than once on a Linux
distro update I get a message that says "This update
cannot be verified. Do you want it?" NO! I will wait
for the update package that can be verified. What is
doing the verification? OpenPGP for every Linux distro
I have used for years.
HHH
More information about the Gnupg-users
mailing list