[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] PGP and Signed Messages,
-----BEGIN PGP SIGNED MESSAGE-----
On 02/19/2016 05:34 AM, Nathaniel Suchy wrote:
> I've noticed a lot of users of Tor use PGP. With it you can encrypt
> or sign a message. However how do we know a key is real? What would
> stop me from creating a new key pair and uploading it to the key
> servers? And from there spoofing identity?
Yes, you could create a key with user ID mirimir (mirimir@xxxxxxxxxx).
And you could share it with others, pretending to be me. But email to
mirimir@xxxxxxxxxx goes to me, not to you, and I'd be unable to read
it. So I'd probably reply, attaching my public key. I could also
download the fake key, and alert the sender.
But Riseup could do that, and also filter out messages going to their
fake key. Adversaries that could MitM Riseup's connections with other
mailservers could also manage that.
But correspondents who bothered to check https://keybase.io/mirimir
could determine whether or not they have the right key for me. In
order to change keys, an adversary would need to make coordinated
changes to four online accounts and the VM that I'm using. Possible?
Sure. But not so easy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
-----END PGP SIGNATURE-----
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to