Jargons of Info Tech industry

Mike Meyer mwm at mired.org
Sun Oct 9 20:06:34 EDT 2005 

Roedy Green <my_email_is_posted_on_my_website at munged.invalid> writes:
> On Sun, 09 Oct 2005 05:55:01 -0400, Mike Meyer <mwm at mired.org> wrote
> or quoted :
>>Virus writers will love the ability to
>>change peoples address books remotely.
> Since this is just a broad brush view, I find it odd you can predict
> just what bugs there will be in the early implementations.

I'm not predicting bugs in the implementations. I'm predicting how
people are going to abuse *features* of the implementations.

> You sound almost as if you were the author of the current system and
> feel personally attacked by others looking for ways to improve it.

Nah, I've just know people who spend a lot of time - and money -
dealing with spam, and we've discussed these issues at great
length. You haven't proposed anything that hasn't been proposed
before, and rejected for various reasons.

> In my scheme, every message is digitally signed, even a change of
> address message. 

Yup, I assumed that.

> Surely for a virus to send out a digitally signed change of address
> message is more difficult than sending out an unsigned one, which they
> can do today.

Maybe yes, maybe no. They can use existing APIs to send mail now. If
there's an API to sign a message - and there just about has to be,
otherwise changing mail readers will require sending out a change of
address form to change the public key - what prevents the virus from
simply using that to send out an encrpyted message? Yes, it's more
difficult, just like it's more difficult to send out mail with an
attachment than one that's just plain text. But the difference is just
more work, not something fundamentally different.

> You have two problems you want to avoid:
>
> 1. the practical problem:  failure to inform your correspondents, not
> just your address list, of your new address (at least the ones you
> don't consider spam or pests).
>
> 2. the potential problem:  rogue software sending out fake change of
> address notices.
>
> In my scheme, The receiver of the change of address  message ignores
> it unless it is properly signed.  Surely that is a more secure system
> than we have today and that handles (1) without effort.  At worst, a
> very clever virus could change the one address book entry, the one for
> this computer, in other's machines.   It could not generally corrupt
> other machines.

Depends on how convenient you make things. The problems aren't
technical, they're social. For instance, people will want their
address book to automatically send out change of address notices to
every non-pest if their address is changed. A virus can exploit this
by changing the address in the address book. No need for it to send
out mail - the users mail agent does it all for them. Fixing this
requires convincing the users that they should do a lot of work to
achieve point 1 - which sort of defeats your purpose.

Personally, I don't believe that you'll convince people to take do
more work to get more security. So you've got to convince all the
authors who deploy mail readers - and/or key security systems - to not
allow that. Since such a feature will be requested by users, and will
make their software more popular, that's not going to be easy either.

To be really secure, you store the private key encrypted, and ask the
user for a passphrase to decrypt it every time you want to sign a
message. So you make your interface do that, and it asks the user for
a key every time a message is signed. For true security, you have to
include the recipient address in the signatture, otherwise you're
liable to replay attacks sent different addresses, so changing your
address will involve providing your pass phrase once for everyone you
notify. Someone else will decide that's to inconvenient, and provide
an interface that stores the passphrase to reuse for some
user-specified length of time. Existing systems do this, and get lots
of use even thought they are less secure than doing it right. Then
you'll get a interface that ask for the key once a session. Then
you'll get one that asks once, and just keeps it forever. We've seen
this happen with access to web site passwords.

Guess which one users are going to prefer. Guess which one makes it
simple for viruses to hijack they system to send out mail that "you"
have signed.

      <mike
-- 
Mike Meyer <mwm at mired.org>			http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

More information about the Python-list mailing list