Taliban: of course "decrypting" a signature is easy to do: that's how you verify that the signature is authentic! What's important is that an attacker cannot forge a user's signature. This is only feasible if the attacker gains access to the user's private key, which is stored on the user's local machine. Without that key, forging a signature is computationally very difficult. It doesn't matter whether the attacker knows the source code -- the private key is the only thing that must be kept secret. |