Well shit. This is the third time I’ve had to re type this post so forgive the brevity.
You are right but it makes the attack less effective, since it’s a phishing attack not a targeted one. I can’t think of an efficient way for an attacker to collect these compromised signatures without making it even more obvious to the victim.
This is correct, you could asymmetrically encrypt the data.
The intended use is for the user to download the script and run it locally. Seving a compromised copy 10% of the time would just lower the reach of the attack. Especially cause the visitor can still verify the source code, or verify the output of the signature.
Even if you cut the size of the private key in half, the signature would still be 5x longer than a standard PGP signature, and the fact that subpacket 20 has been padded with a large amount of data would be immediately visible to the victim upon verifying their own signature. (Note that I didn’t include a verification tool, so the visitor would have to do that on their own trusted software.)
Well shit. This is the third time I’ve had to re type this post so forgive the brevity.
You are right but it makes the attack less effective, since it’s a phishing attack not a targeted one. I can’t think of an efficient way for an attacker to collect these compromised signatures without making it even more obvious to the victim.
This is correct, you could asymmetrically encrypt the data.
The intended use is for the user to download the script and run it locally. Seving a compromised copy 10% of the time would just lower the reach of the attack. Especially cause the visitor can still verify the source code, or verify the output of the signature.
Even if you cut the size of the private key in half, the signature would still be 5x longer than a standard PGP signature, and the fact that subpacket 20 has been padded with a large amount of data would be immediately visible to the victim upon verifying their own signature. (Note that I didn’t include a verification tool, so the visitor would have to do that on their own trusted software.)