|
|
|
|
|
|
by lmgftp
4725 days ago
|
|
|
Scary bit is it's not server on HTTPS, which is probably a must-have for sites that publish public-key information. Much easier to MITM attack the site and claim to be posting "his" public key and email address while really publishing your own info, etc. A great tutorial, however. Very accessible in my opinion and considering it's purpose my previous paragraph is more of an aside. |
|
|
Still, I suppose it's possible for an adversary to work around this as well. If you can find enough people who are 1) willing to falsely sign a key, and 2) trusted by others, you can have these people sign a spoofed key. But then these people would be putting their reputations on the line, and the probability of being exposed is high. Thus the cost of the attack is high.
The lesson being: If you're emailing info that is valuable enough to warrant such a costly attack, verify the key through some other means. Meet the message recipient in person, for example. And consider a thorough security audit of everything in your digital and physical life. You're obviously operating in a far more dangerous world than I do. There are probably many vulnerabilities available to attackers that have nothing to do with your email.