Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: encryption

from [Joachim Schipper] Network Security [Permanent Link]
Subject: Re: encryption
Date: Thu, 27 Jan 2005 01:33:34 +0100 
On Wed, Jan 26, 2005 at 12:24:20PM +0100, Philip Wagenaar wrote:

I was also looking at gnupg.

There are alot of tools for it. Also signing HTML files. I was
wondering if signing HTML files is useful. And if it is, anyone have
any experience with it?

Also, is it possible to encrypt HTML files and make them avalible for
a specified number of users. I would have a webpage on my webserver. I
would encrypt it gnupg/pgp.. and I would encrypt it for a number of
users?

Met vriendelijke groet,

(Philip) Wagenaar
Assistent ICT Projecten & Advies


Dear Philip,

this is is indeed possible; however, I wouldn't recommend it.

PGP/GnuPG and whatever other programs confirm to the OpenPGP standard
are able to sign arbitrary binary data. This can be done in several
ways:
        - 'standard' signature: mangles the data. Can be read only with
          GnuPG (or PGP, or whatever - but I use GnuPG and like it, so
          I'm just going to use it in all my examples)
          [ gpg --sign ]
        - detached signature: creates a small file. The original data is
          left intact, and can be read with whatever program is
          appropriate.

          This signature can be used with MIME, which allows signing
          arbitrary (?) MIME parts of e-mail messages. Including HTML.
          Used with 'ASCII armored' format, which means the signature
          doesn't scramble terminals and the like.
          [ gpg --armor --detach-sign ]
        - 'traditional mail' signature: pre- and appends an appropriate
          bit of text. Transparant, simple and elegant, but only works
          for text/plain.
          [ gpg --clear-sign ]

The ability to use HTML refers to the second ability - the third option
mangles HTML too badly for it to be parseable.

Of course, any of these options would still allow people to read a web
page, providing they have both the appropriate software and the proper
key. However, gpg isn't built into any browsers (though it could
probably be done - I'm fairly certain that adding an entry in
/etc/mailcap.conf would work with, at least, lynx...). This means it is
a bad choice for transparent encryption (that's what https is for).

It is quite widely used to sign downloadable files (usually source or
binary archives), though, at least in the Open Source world.

Yours,

                Joachim Schipper

P.S. How about trimming down all that text your mailer adds a little?
Oh, and Betr.: is only applicable to us Dutchmen...
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: encryption, Robert Hines
Next by Date:  RE: Openpgp.org, AndrewC
Previous by Thread:  Betr.: RE: encryption, Philip Wagenaar
Next by Thread:  Re: Betr.: RE: encryption, Kevin Carlson
Indexes:  [Date] [Thread] [Top] [All Lists]