Re: Security Flaw with Digital Signatures in Outlook

From: Andrew Mitchell (amitchell_at_removecasey.vic.gov.au)
Date: 02/19/05 

Date: Fri, 18 Feb 2005 20:15:53 -0800

"Roberto Franceschetti" <roberto@logsat.com> said

> Andy,
>
> There are no replies from CERT in my documentation beause CERT did not
> bother to reply.
> As for the documentation that states that the "sender", and not the
> other email headers (I never talked about all headers, I've only talked
> about the mail from) be verified, I've just posted it above if you
> reaqd carefully. The documentaiton is from both Outlook (which fails to
> verify) and Outlook Express. Please read them from above. Again the key
> phrases in the following snippets of documentation are:
>
> By using digital IDs with Outlook Express, you can prove your identity
>
> and
>
> This proves to the recipient that the message is from you and not from
> an imposter
>
> As you see Microsoft's documentation clearly states that digital IDs
> are used also
> to ensure the sender is not an impostor... And they are not talking
> about
> RFCs there and the body and S/MIME etc. They are simply talking about
> verifying that the sender is who he says he is. And, once more, Outlook
> is not doing that, as from my report you can see that an email from
> hacker@logsat.com appears as an email with valid digital signature in
> Outlook, while all the other programs in the workd will raise warning
> flags, including Microsoft's own Outlook Express.
>

That's the whole point of it though.
I can received a signed email from (for example) CERT, copy their message
complete with signature, paste it into a message of my own and send that to
someone else and they are still able to verify that the section of the
email signed by CERT is valid.

I don't see any issue here. 

-- 
Andy.

Relevant Pages

  • Re: Exchange 2007 SSL Security Alert on Outlook 2007
    ... On my Outlook 2007 clients I was getting two prompts due ... I have a multi-year cert that I don't want to waste ... warning only comes up for internal clients that can see the internal FQDN ...
    (microsoft.public.exchange.admin)
  • Re: rpc for http
    ... I have never had to create a "new" cert in order to make Outlook over HTTP ... It can also be the public IP address of the server ... ... server names (public/private) needed to be entered in what places in the ...
    (microsoft.public.windows.server.sbs)
  • Re: Outlook over internet RPC not working
    ... The cert was already in that store, ... same certificate, and then regardless of the configuration on the working ... Checked all Outlook over the Internet settings? ...
    (microsoft.public.windows.server.sbs)
  • Re: Internal Namespace Issue
    ... Outlook from both the inside and outside. ... we created a verisign cert to ... Keep in mind the cert needs to be for a UCC SAN certificate for Exchange 2007 and Outlook Anywhere to work. ...
    (microsoft.public.windows.server.dns)
  • Exchange 2003 Mailbox Size Guidelines?
    ... parties that have stated mailbox size limitions, ... I'm familiar with the documentation related to Outlook Exchange network ... I've read a lot of emails saying "you can have it as large as you'd like", ...
    (microsoft.public.exchange.admin)