[Top] [All Lists]

Re: question on Self-Decrypting Messages !!!

2001-08-21 23:44:07

On Tue, 21 Aug 2001 22:50:58 -0500 (CDT), Rezaul H Safiuddin said:

 If I encrypt a message and send it to someone who doesn't use PGP, I have
 to use SDA, and somehow give them the password to it, right ?

Don't know what SDA is, but self-decrypting messages are a *very
stupid* idea.  You receive such a message from soneone you don't know,
you are not able to check the identity of the sender, otherwise you
would have installed an OpenPGP implemnentation.  So what you do is to
allow anyone who is able to send you a message to run arbitrary code
on your box.  It may decrypt the message but you don't know what the
code does on the side.

Okay, you can check that the executable part of that message is
identical to a trusted copy you have - but so why don't use your copy
right away.  You need a shared passphrase, this indicates that you
have established a communication link to the sender by another way -
why not also installing regular software.

You can have some software installed on your box which analyzes the
self-decrypting message and compares the executable part with a known
checksum.  I can see no advantages for such a program because it will
have about the same complexity as a normal decrypting software.

And a self-decrypting thing will never be able to check a signature.

All these self-foo things have another major drawback:  They are only
able to do their job on one platform (i.e. CPU and OS).



Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus

<Prev in Thread] Current Thread [Next in Thread>