home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.tcp-ip
- Path: sparky!uunet!stan!imp
- From: imp@solbourne.com (Warner Losh)
- Subject: Re: SMTP mail
- Message-ID: <Bs5toz.Hv7@solbourne.com>
- Organization: Solbourne, User Interface Group
- References: <92209.190519KKEYTE@ESOC.BITNET> <1992Jul29.021534.6708@mp.cs.niu.edu> <92211.092548KKEYTE@ESOC.BITNET>
- Date: Wed, 29 Jul 1992 16:55:46 GMT
- Lines: 36
-
- In article <92211.092548KKEYTE@ESOC.BITNET> Karl Keyte
- <KKEYTE@ESOC.BITNET> writes:
- >& that's not a security hole?
-
- No. It is an authentication hole. It's not as if it give anybody
- unauthorized access to your machine, or prevent others from accessing
- your machine.
-
- >It is if you want to believe mail that you receive.
- >Paper mail is usually signed. The point is, SMTP is stupidly
- >simple (as we all know) in it's "authentication". My question still
- >stands.
-
- SMTP is does not provide any authentication. Neither does paper mail.
- It is quite easy to forge both, but they are the best that we have
- right now. How do you know that the signature in paper mail is cool
- or not? Some people that you communicate with all the time maybe, but
- just a random piece of mail? SMTP is the same way. Its message have
- a weak "signature" on them in the form of Received: lines.
-
- You might want to investigate using an RFC931 server. It will make it
- harder to forge the mail.
-
- You might also want to see what the state of the art in PEM is these
- days. PEM doesn't prevent forgeries, but it does have a much stronger
- digitial signature coded into the message itself.
-
- There is absolutely NOTHING that you can do that will prevent all
- kinds of forgeries. There are things that you can do to make it
- harder to forge mail, but NOTHING is 100% secure.
-
- Warner
- --
- Warner Losh imp@Solbourne.COM
- Interview Horror Story #882: "It's pretty informal around here.
- Thursdays are clothing optional.."
-