On 21/11/2007, Voytek Eymont <[EMAIL PROTECTED]> wrote: > but, if I'm sending message encrypted, doesn't that guarantee it? > > I mean, if someone guessed my password, the could send an email as me, > but, part from that, what other exposure is there when sending encrypted > email ?
So if I got your public pgp key (which is usually, well, public) and sent your software an encrypted message that only it can read (because presumably it's the only one with access to the private key) which said "rm -rf /" or "adduser -u 0 hackedroot", would that be OK with you? The point is that encryption (hiding the message) is one thing, but authentication (where the message came from, and it haven't been changed on the way) is a separate stage in the process. What crackers are usually interested in as a first stage is to cause the system to run what THEY tell it to do. Configuring your mail server to trust messages over the mail without enough protection will give them just that. The idea with GPG/PGP is that you keep a private key securely with you and SIGN the message and therefore you make it possible for the receiver to reasonably verify that the message actually came from you (by verifying the signature with your public key) and not someone else pretending to be you. Mind you, that's a separate step from encrypting the message in a way that only the receiver can read it. Cheers, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
