Re: Security flaw in how Outlook verifies digital signatures

From: Jeff Stephenson [MSFT] (stephenson_at_online.microsoft.com)
Date: 02/18/05

• Next message: Vanguard: "Re: Security flaw in how Outlook verifies digital signatures"
• Previous message: dauvil: "Re: Creating a File for Spam"
• In reply to: Roberto Franceschetti: "Re: Security flaw in how Outlook verifies digital signatures"
• Next in thread: Roberto Franceschetti: "Re: Security flaw in how Outlook verifies digital signatures"
• Reply: Roberto Franceschetti: "Re: Security flaw in how Outlook verifies digital signatures"
• Messages sorted by: [ date ] [ thread ]

---

Date: Thu, 17 Feb 2005 23:02:04 -0800

On Fri, 18 Feb 2005 04:55:06 GMT, Roberto Franceschetti wrote:

> Please look in particular at the words "This proves to the recipient that
> the message is from you and not from an imposter"

And this is exactly what Outlook does, if you look at the actual
*signature* on the message instead of the (incredibly easily forged)
"From". As I said before, anybody that can actually sign the message with
your certificate isn't going to be stupid enough to send it with their
address; to see who the message is from, always check the signature, not
the From.

If you really care about the legitimacy of snail mail, do you check the
return address on the envelope, or compare the actual ink signature to a
known copy of the person's signature? Same thing in email - check the
signature. [Actually, given current image technology, digital signatures
are *much* better than ink signatures...]

-- 
Jeff Stephenson
Outlook Development
This posting is provided "AS IS" with no warranties, and confers no rights

---

• Next message: Vanguard: "Re: Security flaw in how Outlook verifies digital signatures"
• Previous message: dauvil: "Re: Creating a File for Spam"
• In reply to: Roberto Franceschetti: "Re: Security flaw in how Outlook verifies digital signatures"
• Next in thread: Roberto Franceschetti: "Re: Security flaw in how Outlook verifies digital signatures"
• Reply: Roberto Franceschetti: "Re: Security flaw in how Outlook verifies digital signatures"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: SBS / outlook wierd image attachment / signature issue ... Hi, I have narrowed the issue down to the normal.dot and using word as an email editor, the image is not related to a signature being attached or not. ... Some of your client users will get attachment with image file when they ... Turn off third-party add-ins in Outlook ... (microsoft.public.windows.server.sbs) Re: script to create signatures to all users ... Otherwise, I don't know why it's not working, only that using those registry values in that fashion is not supported by Microsoft. ... Author of Microsoft Outlook 2007 Programming: ... POLICY "Signature for new messages" ... (microsoft.public.outlook.program_vba) Re: script to create signatures to all users ... some of our cients' outlook 2003 don't allow for the new signature to be ... POLICY "Signature for new messages" ... create your .html file and store it in there. ... (microsoft.public.outlook.program_vba) Re: Outlook 2007 automatically renaming .GIF image to .PNG ... When the message was sent, Outlook for some reason replaced the missing ... I create a new temporary message with an inline image in the signature. ... I clear Automatically perform basic compression. ... The GIF I'm attaching to my message is still ... (microsoft.public.win32.programmer.messaging) Re: Marquee tag in Outlook 2003 and fancy signatures ... this is what I'M wanting to do as well. ... Teach Yourself Outlook 2003 in 24 Hours ... signature for marketing dept, which love having things like that. ... I've receive an email message with the scrolling text in the signature ... (microsoft.public.outlook)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)