What is "SpoofProof?

SpoofProof is a free service that signs text with a unique, cryptographically secure algorithm. You can use it to sign electronic documents, emails, or newsgroup messages, and the signature generated is permanently and irreversably associated with the text. This is especially important when sending email or posting to newsgroups. Unfortunately, anyone can impersonate you online because there are no subtle cues to authenticate your identity to the reader the same way as in real life. Even modestly skilled people can impersonate you online relatively little effort. With SpoofProof, checking the authenticity of a message is a simple as clicking the validation link in the document or message. There is no need for the reader of your message to have your public key, or cryptographic software to authenticate your message.

What is the "Validation Link"?

It's just a hyperlink with the with the key appended to it, like this: http://www.spoofproof.org/validation.php?sig=eb7d5a75e94d6d69454a522007d87f92 . Anyone who clicks on this link will be taken to a webpage which has a text copy of the message you signed with this key.

Why do I need it?

If you are an active newsgroup participant, you have probably been spoofed (spoofing is a common harassment technique to disrupt newsgroups) by a troll at one time or another. You may have been misquoted by other newsgroup participants, or you may have needed to indicate in some way that you are the original author of a document. With SpoofProof, it's a simple as pasting a link into your document or message, and clicking the "send" button. Anyone who clicks on the message will be taken to a web page which displays the complete message, the key used to hash it, and any contact, quote, or personal information you would like to provide.

Isn't this the same as PGP?

In a word, no. PGP does use a digital signature, but it requires that both the sender and the recipient have a copy of PGP software, and that the recipient has a known, valid copy of the sender's public key. A spoofer has only to convince you that you are in possession of a valid public key from the sender, and then he is free to impersonate the sender.

How does it work?

SpoofProof uses a cryptographic hash of several random elements to create a unique, 64bit key at the time the user creates his account. When a user signs a message, the key is salted with a complex time hash, iterated a random number of times, and then applied to the text of the user's message to create a signature that is utterly unique. The resulting hash is then appended to a preconfigured URL and presented to the user.

Can a message be repudiated by the user once it's posted?

No. There is no way for anyone, (neither the user or author of the message) to edit the message once it has been entered into the database. A message cannot be edited or repudiated in any way, but the user can choose to password protect the message so that only authorized persons may view it. The password can be changed by the accountholder at any time. You are advised not to publish the validation link until you are certain your message is correct.

What is a "hash"

A hash is a set of mathematical instructions that generate an alphanumeric string of text based on the numerical values of each bit from the imput stream. It is not computationally feasible to predict or reverse a hash, so they are considered highly reliable for verifying that the contents of a message or file have not been tampered with. All of the major cryptography programs use hash algorithms to sign text or binary objects.

Is there a limit to the number of messages I can "SpoofProof"

There are no hard limits. This server is capable of processing about three thousand messages per second, so I have no plans for imposing any kind of limits. Most people post less than 20 messages per day, so this is really a non-issue. Obviously, if you are posting 2000 or more messages per day, you can expect to hear from me.

Is this one of those "Personal Use Only" things?

You can use this service for business or personal use, as long as you don't use SpoofProof for any illegal purpose. An example of illegal use would using a spoofproof signature in a message which advertises illegal pornographic content. Additionally, you cannot use SpoofProof to impersonate someone else.

How long are messages archived?

By default, messages are archived 180 days. You can set your messages to be archived for longer or shorter periods of time if you want.

How secure is SpoofProof?

SpoofProof is hosted on a secure server. The database used for SpoofProof's backend has a long history of exceptional resistance to hackers. The site is hosted behind a highly secure firewall, and the site's php code has been independantly reviewed for security. Acts of internet terrorism are aggressively investigated and prosecuted here in the US, and there is nothing to gain from breaching the site's security, so SpoofProof is not likely to be targeted, let alone breached.

How much is it?

Nothing. It's free.

You could be making money from this. Why aren't you?

The internet is choked with spam, get rich quick schemes, membership fees, and pleas for donations to keep "so and so's" site open. Money isn't the most important thing in the world to me, and aside from that, I've been very fortunate in life. There are other ways to make money. Doing something good for our global internet/usenet community is its own reward. Think of it as a volunteer work.

Can I test it to see how it works?

Go here.

I would like to request an additional feature.

Go here.