Signing with HTML, CSS and Pictures

Hanno Böck
Twitter: @hanno

Does anyone use OpenPGP/GnuPG?

Do you sign your E-Mails?

A signed E-Mail in kmail

Sorry, that was a fake.

I "signed" it with HTML/CSS.

This is the real one

Which one is the fake?

Ok, but this is kmail. Anyone ever heard of anyone using kmail?

Let's look at Thunderbird and Enigmail

Is this real?

This was a fake, too.

Here's the real one

There's a tiny difference, but would you have noticed?

This also works with mutt...

... or Evolution ...

... or Apple mail / GPGTools.

What's the problem?

HTML mails are evil.

Optional security indicator in attacker-controlled space.

How's this problem handled elsewhere?

It used to be possible to fake Browser URL bars.

This is no longer possible, because browsers always display an URL bar.

However browsers have moved on

User research shows that users don't understand security indicators very well.

When it comes to the web the goal is to make secure (HTTPS) the default and not have positive security indicators any more.

This is not feasible for E-Mail signatures for obvious reasons.