Winlink Wednesday #3, Whitelists

[Chris Sullivan]

This week's exercise delves into whitelists, which allow you to receive messages from non-WInlink email addresses. The Winlink RMS system is a full email messaging service with connections to Internet mail so it is not restricted to hams, but we only want to receive from trusted email addresses as (a) we don't want to clog the system with spam, and (b) we want incoming mail to abide by the rules (e.g., non-commercial) of amateur radio as the messages might be transferred by radio in some part of the message path.

Once again, to preserve formatting, I have put the exercise into a PDF file to preserve the formatting.

As some of you know, I've been out-of-town for the past 3 weeks, mostly driving. I haven't had a chance to review the messages from Winlink Wednesday #2 but I'll get to it this week.

I hope you had fun with last week's ETO exercise. I did it late at night from my motel room so I'm not certain how well I did. We'll see when the result are posted.

73,

Chris

[Tom Stefanac]

Speaking of PDFs ..

If you really need to pass some secure traffic, you can bend the rules by sending a password protected PDF as a winlink attachment if you keep it under 100kb which is doable.

I had to send some banking related info to the XYL from Algonquin a couple years back and that was how I did it. In retrospect driving to the west gate and making a cell phone call was probably as quick but not nearly as much fun.

I used the Halifax RMS gateway to not upset our American friends and stay under the radar, our Southern friends are very strict about coded messages and easily bend out of shape :⁠-)

My argument is - the PDF is not encrypted, just password protected - exactly like my winlink 😂

Cheers,
Tom VA3VWX

--
You received this message because you are subscribed to the Google Groups "YRARC Winlink Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to winlink.grou...@yrarc.org.
To view this discussion on the web visit https://groups.google.com/a/yrarc.org/d/msgid/winlink.group/265dde43-cf62-4d86-91cf-086c2daed387n%40yrarc.org.

[Chris Sullivan]

Interesting topic. There are two types of password protection in Adobe Acrobat. One is a "permissions password" that does not encrypt the document but prevents Acrobat reader from opening the document under specified conditions. That password can be removed without knowing what it is by Adobe Acrobat DC, and for 3rd party PDF readers it is up to the implementation to enforce those rules. Apparently some don't. In other words, it is quite insecure, although it would be easy to argue that it is legal in amateur radio.

The other type of password is an encryption password. That would appear to be illegal under the rules station that any code or cipher used in amateur radio must be public. There are also password "crackers" out there which can unlock passwords if they aren't strong enough.  While the AES256 encryption used by Adobe is quite strong, it is vulnerable if weak passwords are used. Adobe provides an indication of how strong the password is but doesn't enforce it. This chart shows the relationship between password length and complexity vs. cracking time. The processor used was quite (12 GTX 4090 GPUs) powerful but well within the reach of a well-heeled hacker.  The computers used to create ChatGPT would be several thousand times faster (and presumably, the ones used by the NSA would be faster still).

Unlike login passwords once you have a PDF file you can try cracking it for as long as you like. You won't get locked-out like you would when logging into a computer.

Another consideration is that computers get faster over time, so you can divide the times in this chart by two every 18-24 months. Something that is secure today might not be in 10 years. Because of this, governments are collecting secure traffic now which they hope to be able to decrypt in the future, either with faster traditional computing or with quantum processors. The algorithm used in PDF documents is supposed to be quantum-resistant though.

 

The cracking time drops to (nearly) instant for any password contained in a dictionary. There are large dictionaries of common passwords traded by hackers and these can be tested very rapidly.

Let's be careful at there.

[Mike VA3MCT]

Chris,

Interestingly I tried to send to your winlink email from my gmail and as expected it was rejected.

However, I tried a follow up email to multiple winlink addresses including my own in the cc, again from gmail. My va3...@gmail.com is in my WHITELIST at Winlink.org

I received the email in Winlink, but ...

I never received a rejected email notification for the other winlink addresses which I checked are not in my whitelist.

73,

Mike Crabtree - VA3MCT

--

[Chris Sullivan]

Hi Mike,

The key is whether your external email is on the recipients' whitelists. If that is the case, then you wouldn't receive a rejected email notification because they would have received the message.

The only other explanation would be a bug in the RMS system.

73,

Chris