|
|
|
|
|
|
by jarrett
4725 days ago
|
|
|
That's the purpose of key signing. The author--like almost all PGP users--has gotten his key signed by third parties. This means that its integrity can be verified. E.g., if a man in the middle were to intercept the HTTP response and change the contents of the key, it would lack the signatures. Still, I suppose it's possible for an adversary to work around this as well. If you can find enough people who are 1) willing to falsely sign a key, and 2) trusted by others, you can have these people sign a spoofed key. But then these people would be putting their reputations on the line, and the probability of being exposed is high. Thus the cost of the attack is high. The lesson being: If you're emailing info that is valuable enough to warrant such a costly attack, verify the key through some other means. Meet the message recipient in person, for example. And consider a thorough security audit of everything in your digital and physical life. You're obviously operating in a far more dangerous world than I do. There are probably many vulnerabilities available to attackers that have nothing to do with your email. |
|
|
My warning was truly an aside, and given the nature of a large group of visitors, of course a handful might not follow best practices and verify the signatures, etc.