HomeAboutMailing ListList Chatter /0/0 3.92.74.105

GPG/PGP test by fire

2020-03-01 by: "Mike (meuon) Harrison"
From: "Mike (meuon) Harrison" 
------------------------------------------------------

Hi Chugalarians!

This is a "test by fire". 

If you get this and can read it, I sent it to chugalug@chugalug.org as GPG
signed and encryted text.  

If you receive it as plain text, you should see a weird footer that says it
was verified by the Chugalug list server.

If you receive it as "signed" by Chugalug, you should also see a weird
footer added that says the original sender was verified.  With a PGP wrapper
and signature from Chugalug as well.

If you received it "encrypted" by Chugalug, you should also see a weird
footer added that says the original sender was verified inside of the decrypted text. 

Note that Chugalug/Melee is doing more than just a signature valid check. 
The signature must match the sender and the content must match the signature. 

Testing with Alpine and GPG via file import/export has been rock solid, with
one caveat: Tabs.  A clear signed PGP message with tabs gets those tabs
expanded by Alpine and the content/signature becomes invalid.

Playing with Flowcrypt (a gmail extension)..  Sigh.  It works almost too
well.  And displays fallacies in many cases.  The most common is it says the
sending email signature is that of the "From/Reply" line of the email, when
it is actually that of the list.  Similiar issues with encrypted content. 
It'll decrypt it (as it should as it has the public key of the sender:
chugalug), but displays it as from the From/Reply line of the email. 

What I learned is: Get to know your encryption toolset and still be wary.

There are probably a lot of other exceptions possible.  I'll admit I'm not
an expert and one of my reasons to dive into this feature set was to learn
and gain experience.  Sadly, not many of us are capable of, or are actually
using PGP encryption. Hat tip to Adam/Vendion for being a test subject and helping. 

Thank you Chugalug for letting me play. --Meuon--












=====
| chugalug VERIFIES mike@geeklabs.com as sender and valid content
| Fingerprint: 2139D479145D8624749EFBD5FC1DE431F4959034
=====



=============================================================== From: Wil Wade ------------------------------------------------------ Fire failed. Also can see it https://chugalug.org/g/articles/show/5898/GPG/PGP%20test%20by%20fire/

=============================================================== From: Dan Mailman ------------------------------------------------------ Received Wierdly Footed Text. On Sun, Mar 1, 2020 at 3:24 PM Mike (meuon) Harrison wrote:

=============================================================== From: Med Dement ------------------------------------------------------ this format, some or all of this message may not be legible. --B_3665928173_85730013 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable Anybody interested in a UNIFI AP PRO=E2=80=A6 bought it 4 days a go and =C2=A0Im done= with it.. and there software=E2=80=A6 =20 =20 =E2=80=94 Med Dement Med@hophoto.com 423-894-6448 =20 =20 =20 From: Dan Mailman Reply-To: Date: Sunday, March 1, 2020 at 5:20 PM To: Subject: Re: [chugalug] GPG/PGP test by fire =20 Received Wierdly Footed Text. =20 On Sun, Mar 1, 2020 at 3:24 PM Mike (meuon) Harrison wr= ote: Hi Chugalarians! This is a "test by fire".=20 If you get this and can read it, I sent it to chugalug@chugalug.org as GPG signed and encryted text. =20 If you receive it as plain text, you should see a weird footer that says it was verified by the Chugalug list server. If you receive it as "signed" by Chugalug, you should also see a weird footer added that says the original sender was verified. With a PGP wrappe= r and signature from Chugalug as well. If you received it "encrypted" by Chugalug, you should also see a weird footer added that says the original sender was verified inside of the decry= pted text.=20 Note that Chugalug/Melee is doing more than just a signature valid check.=20 The signature must match the sender and the content must match the signatur= e.=20 Testing with Alpine and GPG via file import/export has been rock solid, wit= h one caveat: Tabs. A clear signed PGP message with tabs gets those tabs expanded by Alpine and the content/signature becomes invalid. Playing with Flowcrypt (a gmail extension).. Sigh. It works almost too well. And displays fallacies in many cases. The most common is it says th= e sending email signature is that of the "From/Reply" line of the email, when it is actually that of the list. Similiar issues with encrypted content.=20 It'll decrypt it (as it should as it has the public key of the sender: chugalug), but displays it as from the From/Reply line of the email.=20 What I learned is: Get to know your encryption toolset and still be wary. There are probably a lot of other exceptions possible. I'll admit I'm not an expert and one of my reasons to dive into this feature set was to learn and gain experience. Sadly, not many of us are capable of, or are actually using PGP encryption. Hat tip to Adam/Vendion for being a test subject and = helping.=20 Thank you Chugalug for letting me play. --Meuon-- =3D=3D=3D=3D=3D | chugalug VERIFIES mike@geeklabs.com as sender and valid content | Fingerprint: 2139D479145D8624749EFBD5FC1DE431F4959034 =3D=3D=3D=3D=3D --B_3665928173_85730013 Content-type: text/html; charset="UTF-8" Content-transfer-encoding: quoted-printable Anybody interested in a UNIFI AP PRO=E2=80=A6 bought it 4 days a go and =C2=A0Im do= ne with it.. and there software=E2=80=A6 = =  =E2=80=94 Med Dement= Med@hophoto.com423-894-6448 =   From: Dan Mailman &l= t;dmailman@gmail.com>Reply-To: <chugalug@chugalug.org>Date: Sunday, March 1, 2020 at 5:20 PMTo: <med@hophot= o.com>Subject: Re: [chugalug] GPG/PGP test by fire Received Wierdly Footed Text. On Sun, Mar 1= , 2020 at 3:24 PM Mike (meuon) Harrison <mike@geeklabs.com> wrote:Hi Chugalarians!This is a "test by fire&qu= ot;. If you get this and can read it, I sent it to chugalug@chugalug.org as GPGsi= gned and encryted text.  If you receive it as plain text, you s= hould see a weird footer that says itwas verified by the Chugalug list s= erver.If you receive it as "signed" by Chugalug, you shoul= d also see a weirdfooter added that says the original sender was verifie= d.  With a PGP wrapperand signature from Chugalug as well.I= f you received it "encrypted" by Chugalug, you should also see a w= eirdfooter added that says the original sender was verified inside of th= e decrypted text. Note that Chugalug/Melee is doing more than just a= signature valid check. The signature must match the sender and the cont= ent must match the signature. Testing with Alpine and GPG via file i= mport/export has been rock solid, withone caveat: Tabs.  A clear si= gned PGP message with tabs gets those tabsexpanded by Alpine and the con= tent/signature becomes invalid.Playing with Flowcrypt (a gmail exten= sion)..  Sigh.  It works almost toowell.  And displays fa= llacies in many cases.  The most common is it says thesending email= signature is that of the "From/Reply" line of the email, when= it is actually that of the list.  Similiar issues with encrypted conten= t. It'll decrypt it (as it should as it has the public key of the sender= :chugalug), but displays it as from the From/Reply line of the email. What I learned is: Get to know your encryption toolset and still be wa= ry.There are probably a lot of other exceptions possible.  I'll= admit I'm notan expert and one of my reasons to dive into this feature = set was to learnand gain experience.  Sadly, not many of us are cap= able of, or are actuallyusing PGP encryption. Hat tip to Adam/Vendion fo= r being a test subject and helping. Thank you Chugalug for letting m= e play. --Meuon--=3D=3D=3D=3D=3D| chugalug VERIFIES mik= e@geeklabs.com as sender and valid content| Fingerprint: 2139D479145= D8624749EFBD5FC1DE431F4959034=3D=3D=3D=3D=3D --B_3665928173_85730013--

=============================================================== From: Meds Mail ------------------------------------------------------ Received Sent from my iPhone rote: G t per rypted text.=20 =20 ure.=20 ith he en =20 t n ly d helping.=20

=============================================================== From: John ------------------------------------------------------ How can I unsubscribe?

=============================================================== From: "Mike (meuon) Harrison" ------------------------------------------------------ Wil: WAD: Works as designed. I transmitted an encrypted email to chugalug@chugalug.org, it was encrypted in transit, decrypted into readable text by the list server, and sent to various members as: plain text, PGP signed or PGP encrypted per their settings. The website link: https://www.chugalug.org/g/articles/show/5898 is derived from a mailbox that receives plain text emails, and posts them for public use. Mostly to show that this is an active list. And it looks like I need to tweak the code that sees and removes email addresses for the web "List Chatter" link.. which by the way, is not part of the Mail Engine, but part of the website. Which I am trying to fix and update currently. Good music playing.. tweaking code on a sunday evening.. I'll send you the original email off-list so you can see it. ;)

=============================================================== From: Adam Jimerson ------------------------------------------------------

=============================================================== From: Adam Jimerson ------------------------------------------------------ I will say playing with both Flowcrypt and Mailvelope (Google Chrome and Mozilla Firefox extension) Mailvelope does do some things a bit bitter than Flowcrypt but still fails in a mailing list context like what is being done here (would decrypt the email just fine but failed to verify the signature to the correct email). Pros for Mailvelope: * It's open source * It uses standard PGP/GPG key servers for managing your keyring if you use the OpenGPG.js that it ships with, but does support using the local GnuGPG command and keyring if it detects it * Presumably supports other web mail providers than just Gmail In short I think both options are at least a step in the right direction but still needs a lot of work. With that I personally will just stick to using another email client that either naively supports GPG or has better GPG support. That said good work Mike, glad you got it working so quickly and it seems relatively seamless.

=============================================================== From: Billy ------------------------------------------------------ Muy cool! --b e: t er ypted text.=20 he signature must match the sender and the content must match the signature.= =20 th he n t'll decrypt it (as it should as it has the public key of the sender: y helping.=20

=============================================================== From: Chad Smith ------------------------------------------------------ Days late to the party, but this is the footer I saw, in Gmail, from China. ===== And this is how the "From" appears: Mike (meuon) Harrison mike@geeklabs.com via chugalug.org *- Chad W. Smith* On Mon, Mar 2, 2020 at 4:24 AM Mike (meuon) Harrison wrote:

=============================================================== From: Chad Smith ------------------------------------------------------ Gmail as in, through the website. On Chrome. And, I have a passive VPN that says I'm in Hong Kong. But it's more of a tunnel than a VPN. like there is physical cable from my ISP into the city of Hong Kong. *- Chad W. Smith*

=============================================================== From: Dave Brockman ------------------------------------------------------ passive VPN =C2=A0 like All proper VPNs should be tunnels. Transport mode is.... interesting but not my idea of a VPN. Cheers, -Dave