On 05/28/2013 04:32 PM, Peter Lebbing wrote: > Personally, I /am/ interested in why people use their keys (the original > question), and not in the relevance of e-mail.
I use OpenPGP to sign my downloads for others. Everybody using my stuff are either French, Belgian, or Canadian French. The Linux people DO use the detached signature files to verify that some hacker didn't sneak in and whack things. Don't laugh. The hackers HAVE hit my web-site and despite the fact I don't use SQL it doesn't mean that SQL isn't on the multi-homed web-server. The hackers did do damage to some of my pages and will probably continue to do so. The hackers are interested in replacing the downloads with some copycat that would say, block legitimate web-sites and allow infecting web-sites through. The web-site damage I am referring to is NOT done by just some infected PC sending SQL attack packets to web-sites at random. These attacks are done on purpose by a person / people. So OpenPGP detached signatures DO help. Why replace my downloads with false downloads if the verification fails. I will know immediately if my .profile or .bashrc files or other relevant files have been tampered with. It would be nice for other blockers to use OpenPGP enciphered email messages where we discuss bad web-sites since an email scanner WILL block the message. Encrypting attachments with 7-Zip's AES-128 is messy and time consuming. IOW, I have a need for both OpenPGP enciphered email AND OpenPGP signed email messages because hackers have attacked me and will continue to attack. Hackers have sent messages purportedly from these other people. But I know their sending IP addresses and do check these suspicious messages. But that is time consuminmg so an OpenPGP signed message would go a long way to ease my mind. I got the very same malicious link in an email message that took down Google several years ago. The only differnce is that I use Thunderbird with no HTML rendering for my main email despite having four web-mail accounts. The spear attack looked amateurish to me. But if Google and others would have used OpenPGP signed messages regularly, until the keys are stolen and the pass-phrase sniffed, OpenPGP signed mails CAN enhance security. Whether people recognize it or not, many of the Linux distros use OpenPGP signatures in *.deb, *.rpm and other update files to verify that they really did come from where they are purportedly from. More than once on a Linux distro update I get a message that says "This update cannot be verified. Do you want it?" NO! I will wait for the update package that can be verified. What is doing the verification? OpenPGP for every Linux distro I have used for years. HHH _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
