tag:blogger.com,1999:blog-3993498847203183398.post1124165548828547202..comments2024-03-18T12:28:29.902+00:00Comments on RevK<sup>®</sup>'s ramblings: Financial Ombudsman and PGPRevKhttp://www.blogger.com/profile/12369263214193333422noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-3993498847203183398.post-76426262715963936182023-02-24T17:07:20.695+00:002023-02-24T17:07:20.695+00:00This site seems to have the "internal doc&quo...This site seems to have the "internal doc" on how the ombudsman tells it's staff <br /><br />https://www.whatdotheyknow.com/request/274954/response/677727/attach/3/Email%20encryption%20guide.pdf?cookie_passthrough=1<br /><br />(sadly does not seem to help ...all the keys listed at keys.financial-ombudsman.org.uk are mine...still can't find the ombudsmans key<br />Graeme Vnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-70718064035146748882023-02-24T16:09:34.719+00:002023-02-24T16:09:34.719+00:00They do use Symantec. Rather unfortunately they a...They do use Symantec. Rather unfortunately they add their DKIM signature BEFORE Symantec mess with it, so while their plain text mails have a good DKIM, their encrypted mails says<br /><br /> Invalid (E-Mail was modified)<br /><br />So getting their mail is fine, however I now want to reply to them. They don't appear to publish their own Public Key...I see somebody tried hard to get it:<br />https://www.whatdotheyknow.com/request/public_pgp_encryption_key?utm_campaign=alaveteli-experiments-87&utm_content=sidebar_similar_requests&utm_medium=link&utm_source=whatdotheyknow<br /><br />But I still don't see it (nor should I trust a key I found in a random post)<br /><br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-71896149426628269292022-06-15T15:03:00.122+01:002022-06-15T15:03:00.122+01:00I was sure we fixed that! I'll have to have an...I was sure we fixed that! I'll have to have another look.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-66610406573731212302022-06-15T14:51:33.067+01:002022-06-15T14:51:33.067+01:00Actually, automated responses from Andrews & A...Actually, automated responses from Andrews & Arnold are sent to customers using the signing key for a different address, e.g. messages from accounts@aa.net.uk are signed by the key for auto@aa.net.uk - I did raise this in correspondence with Accounts and they promised to look into it, but it was never fixed.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-11272126364732551282019-04-24T12:16:47.002+01:002019-04-24T12:16:47.002+01:00In one of their newsletters they stated they use S...In one of their newsletters they stated they use Symantec's PGP Universal product, which sits at the network level so my money would be on the users not seeing it at all.Lukehttps://www.blogger.com/profile/00360084514777574670noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-64000815063682333232018-01-09T11:59:07.956+00:002018-01-09T11:59:07.956+00:00It is highly likely they are using the Symantec PG...It is highly likely they are using the Symantec PGP gateway which handles all this. I have used this in the past, and as you say it handles everything transparently so the users at the company end don't see anything about the encryption in most cases because the internal traffic is deamed to be "secure." It could be argued that the system is acting as a man in the middle because it is decrypting the email before it reaches the destination and so the user never deals with encryption etc. My argument for this is it causes security issues because the users just send emails as normal with the expectation that some magic down the line will handle the encryption for them. IIRC the settings in the server are set such that they will contact the public key servers and if the email addresses match it encrypts to that key.Anonymoushttps://www.blogger.com/profile/06785547595149410996noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-41052776863962229182018-01-08T17:47:27.794+00:002018-01-08T17:47:27.794+00:00Interesting that they made no attempt to verify th...Interesting that they made no attempt to verify that the key presented belongs to the human who has an account with them. I suspect it would have been easy to forge an email from you to them saying "Here's my key" and for them to then send that person personal info about you, confident that it's safe because it's encrypted. Especially if they don't actually see the working and hence have no appreciation of it. In fact it could be easy for a third-party to send an updated key and their system will possibly take it on. Unless they initially verify your key, and then use that as a basis for chaining new keys on when they change, they're still open to abuse, perhaps more so under the false illusion of safety because "military grade encryption".Chrisnoreply@blogger.com