Let's say Bob pretends to be Alice, spoofs a non encrypted email to make it look like Alice and sends that to John who uses Thunderbird with Enigmail plugin.
Asked
Active
Viewed 118 times
1
-
1enigma only encrypts the e-mail send to someone else. And decrypts encrypted e-mails, it does not encrypt non-encrypted e-mails send by someone else. So it is possible to spoof the e-mails send by Alice. – mike-stokkel Mar 17 '16 at 16:24
1 Answers
4
Well, you can spoof an email address without signing the email. However, if you get an email from an address and the email is signed, you know it's not fake. The signing process will provide you with enough information to verify that the email is from who it's meant to be from.
For instance, you could spoof an email from a bank asking for customer details. You could not spoof an email signed with SHA256 from a bank asking for customer details. OpenPGP communication requires trust levels to be accurate. In the case of something like a bank, you should trust their OpenPGP key if you get it from them physically or (say) with your new credit card.
Without a web of trust, the idea behind OpenPGP falls down. If you don't know exactly who gave you a key in the first place, all you can confirm is that the same (unknown owner) key is being used to sign things. Nothing less, nothing more.
Cameron Does Things
- 582
- 3
- 10