Image

Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Users Search
Help Dashboard Sign In Sign Up
Q&A Meta
Q&A
Posts Tags Edits
Ask Question

Welcome to the Power Users community on Codidact!

Power Users is a Q&A site for questions about the usage of computer software and hardware. We are still a small site and would like to grow, so please consider joining our community. We are looking forward to your questions and answers; they are the building blocks of a repository of knowledge we are building together.

Why might a PGP-signed email be considered less secure than the same message without a signature?

+6
−0

  1. I sent an email to a friend's work address. The email had an attachment, not a lot of text, and was signed (not encrypted) with my PGP signature.

  2. They briefly received the email before it was removed from their inbox, presumably by the IT department's filtering.

  3. I then sent ostensibly the same message[1] without signing, and the message successfully reached the inbox.

Why would the signed version be less trustworthy than the unsigned one?

I found a Reddit thread suggesting that URL-rewriter filters[2] could tinker with the text of the email, thus making the signed content invalid. But my email had no links!

  1. The second email's body text was prefixed with "Take two:" ↩︎

  2. URL rewriting like https://proofpoint.example/redirect?url=... ↩︎

email pgp
posted 6 months ago
user card
Michael‭
724 reputation 11 20 90 50
History

0 comment threads

1 answer

+1
−0

It's impossible to know for certain without examining the precise rules used by the IT department's spam filtering system, but we can probably make some sensible guesses.

It is unlikely (although not impossible) that the IT system cares about the validity of the PGP signature, or is even bothering to check it, for a couple of reasons:

  • The use of PGP-signed email is extremely niche, and mostly limited to open-source crypto enthusiasts (the only time I've seen PGP-signed emails is on Linux User Group mailing lists, and even then it was only a handful of people on a list with dozens of members). Therefore there is little motivation to integrate PGP functionality into a spam-detection system.
  • It's an extra computational step the system has to perform while processing many thousands of messages every day (although most of those messages won't be signed, for the above reason).
  • The validity of a PGP signature establishes nothing about whether the email is spam. Any spammer can create their own PGP key, upload it to some key servers and start signing their emails.

What spam filters do often care about is attachments.

Assuming your PGP-enabled mail client is set up to send signed emails using the modern PGP/Mime format, rather than the largely deprecated inline format, then the signature will be attached as a separate part of a multi-part MIME message, using the content type application/pgp-signature. This is in addition to the attachment you explicitly sent, so your resulting message now has two attachments instead of one, which might be enough to push it above the threshold for being marked as spam.

posted 6 months ago
user card
InfiniteDissent‭
71 reputation 0 2 7 0
History

1 comment thread

Seems plausible (1 comment)

Sign up to answer this question »