Roedy Green <[EMAIL PROTECTED]> writes: > On Sun, 09 Oct 2005 05:55:01 -0400, Mike Meyer <[EMAIL PROTECTED]> wrote > or quoted : >>Virus writers will love the ability to >>change peoples address books remotely. > Since this is just a broad brush view, I find it odd you can predict > just what bugs there will be in the early implementations.
I'm not predicting bugs in the implementations. I'm predicting how people are going to abuse *features* of the implementations. > You sound almost as if you were the author of the current system and > feel personally attacked by others looking for ways to improve it. Nah, I've just know people who spend a lot of time - and money - dealing with spam, and we've discussed these issues at great length. You haven't proposed anything that hasn't been proposed before, and rejected for various reasons. > In my scheme, every message is digitally signed, even a change of > address message. Yup, I assumed that. > Surely for a virus to send out a digitally signed change of address > message is more difficult than sending out an unsigned one, which they > can do today. Maybe yes, maybe no. They can use existing APIs to send mail now. If there's an API to sign a message - and there just about has to be, otherwise changing mail readers will require sending out a change of address form to change the public key - what prevents the virus from simply using that to send out an encrpyted message? Yes, it's more difficult, just like it's more difficult to send out mail with an attachment than one that's just plain text. But the difference is just more work, not something fundamentally different. > You have two problems you want to avoid: > > 1. the practical problem: failure to inform your correspondents, not > just your address list, of your new address (at least the ones you > don't consider spam or pests). > > 2. the potential problem: rogue software sending out fake change of > address notices. > > In my scheme, The receiver of the change of address message ignores > it unless it is properly signed. Surely that is a more secure system > than we have today and that handles (1) without effort. At worst, a > very clever virus could change the one address book entry, the one for > this computer, in other's machines. It could not generally corrupt > other machines. Depends on how convenient you make things. The problems aren't technical, they're social. For instance, people will want their address book to automatically send out change of address notices to every non-pest if their address is changed. A virus can exploit this by changing the address in the address book. No need for it to send out mail - the users mail agent does it all for them. Fixing this requires convincing the users that they should do a lot of work to achieve point 1 - which sort of defeats your purpose. Personally, I don't believe that you'll convince people to take do more work to get more security. So you've got to convince all the authors who deploy mail readers - and/or key security systems - to not allow that. Since such a feature will be requested by users, and will make their software more popular, that's not going to be easy either. To be really secure, you store the private key encrypted, and ask the user for a passphrase to decrypt it every time you want to sign a message. So you make your interface do that, and it asks the user for a key every time a message is signed. For true security, you have to include the recipient address in the signatture, otherwise you're liable to replay attacks sent different addresses, so changing your address will involve providing your pass phrase once for everyone you notify. Someone else will decide that's to inconvenient, and provide an interface that stores the passphrase to reuse for some user-specified length of time. Existing systems do this, and get lots of use even thought they are less secure than doing it right. Then you'll get a interface that ask for the key once a session. Then you'll get one that asks once, and just keeps it forever. We've seen this happen with access to web site passwords. Guess which one users are going to prefer. Guess which one makes it simple for viruses to hijack they system to send out mail that "you" have signed. <mike -- Mike Meyer <[EMAIL PROTECTED]> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. -- http://mail.python.org/mailman/listinfo/python-list