Bugtraq mailing list archives
Re: Security Flaw with Digital signatures in Microsoft Outlook
From: "Anthony G. Atkielski" <anthony () atkielski com>
Date: Fri, 25 Mar 2005 22:20:27 +0100
Roberto writes:
This 3rd email is yet another variation showing how a digitally signed email can further be forget without Outlook ever raising warning flags (follow the hyperlinks for the email's source):
Digitally-signed messages cannot be forged. However, only the body of a digitally-signed message is actually included in the text covered by the signature; the headers are excluded. That's not an Outlook idiosyncrasy, it's just the way signed e-mail works. In every screenshot you provide, Outlook correctly identifies the party that created the digital signature. That's what a security-conscious user will check. And the text of the message has not been changed, so the signature is still valid, and no forgery has occurred. I'm afraid I don't see any problem here. Yes, it's inconvenient that one can forge the "From" line of a message, but in secure e-mail, one doesn't rely on the "From" line, anyway, precisely because it can be so easily forged. I suppose it might be nice if Outlook made the discrepancy between the "From" line and the signer's authenticated identity a bit more obvious, but that's not a security breach, just an ergonomic issue. -- Anthony
Current thread:
- Security Flaw with Digital signatures in Microsoft Outlook Roberto Franceschetti (Mar 25)
- RE: Security Flaw with Digital signatures in Microsoft Outlook Adrian Floarea (Mar 25)
- Re: [bugtraq] Security Flaw with Digital signatures in Microsoft Outlook Erwann ABALEA (Mar 25)
- RE: [bugtraq] Security Flaw with Digital signatures in Microsoft Outlook Lyal Collins (Mar 26)
- Re: Security Flaw with Digital signatures in Microsoft Outlook Anthony G. Atkielski (Mar 26)
- <Possible follow-ups>
- Re: Security Flaw with Digital signatures in Microsoft Outlook dori (Mar 29)