Re: Security flaw in how Outlook verifies digital signatures
From: Roberto Franceschetti (roberto_remove_n.o.s.p.a.m_tag_at_logsat.com)
Date: 02/19/05
- Next message: MJ: "OL2002: Problem with Calendar Folder Size"
- Previous message: Tortdog: "Re: MOOL Questions"
- In reply to: Jeff Stephenson [MSFT]: "Re: Security flaw in how Outlook verifies digital signatures"
- Next in thread: Vanguard: "Re: Security flaw in how Outlook verifies digital signatures"
- Reply: Vanguard: "Re: Security flaw in how Outlook verifies digital signatures"
- Reply: Jeff Stephenson [MSFT]: "Re: Security flaw in how Outlook verifies digital signatures"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 19 Feb 2005 05:13:53 GMT
Jeff,
Simple exploit. I use my own Verisign digital certificate to sign an email.
I then alter the from in the email to make it appear from Microsoft. I then
send the signed email to my competitor. He sees an email coming from
Microsoft, digitally signed, with a valid signature, but unfortunately he's
using Outlook which does not warn him that the sender does not match the
certificate (if he had only used Mozilla or Outlook Express he'd see flags
everywhere...). The email will talk about a new non-existent vulnerability,
and perhaps I will attach an infected attachment, with a copy of maybe Optix
Pro to get a backdoor into his system...
Am I stupid because I used my own certificate...? Not really, you see,
somebody stole my private key which I upladed onto my ISP's public ftp
server to make it easier for me to access it while traveling... in court my
lawyer would be having a field day proving my innocence as a victim of
fraud, and in the meantime I've caused irreparable harm to my competitor.
All because Outlook is the only email client that did not warn him about the
sender not being the one who signed the email...
...this is only one example of abuse of the exploit.
Yes, if you look deep down in the signature a *very* computer-savvy user
will eventually understand that the sender is not really the person who
signed the email. But I stress on the computer savvy words. Your average and
even above average computer user will have no idea that the email was not
from Microsoft, as the vast majosrity of users have no idea how these
certificates work. They just care about "the email is digitally signed" and
"my email program says it's valid".
Roberto Franceschetti
roberto at sign logsat.com
"Jeff Stephenson [MSFT]" <stephenson@online.microsoft.com> wrote in message
news:18zrcqipebceb.dlg@jeff.stephenson.microsoft.com...
> On Fri, 18 Feb 2005 04:55:06 GMT, Roberto Franceschetti wrote:
>
>> Please look in particular at the words "This proves to the recipient that
>> the message is from you and not from an imposter"
>
> And this is exactly what Outlook does, if you look at the actual
> *signature* on the message instead of the (incredibly easily forged)
> "From". As I said before, anybody that can actually sign the message with
> your certificate isn't going to be stupid enough to send it with their
> address; to see who the message is from, always check the signature, not
> the From.
>
> If you really care about the legitimacy of snail mail, do you check the
> return address on the envelope, or compare the actual ink signature to a
> known copy of the person's signature? Same thing in email - check the
> signature. [Actually, given current image technology, digital signatures
> are *much* better than ink signatures...]
>
> --
> Jeff Stephenson
> Outlook Development
> This posting is provided "AS IS" with no warranties, and confers no rights
- Next message: MJ: "OL2002: Problem with Calendar Folder Size"
- Previous message: Tortdog: "Re: MOOL Questions"
- In reply to: Jeff Stephenson [MSFT]: "Re: Security flaw in how Outlook verifies digital signatures"
- Next in thread: Vanguard: "Re: Security flaw in how Outlook verifies digital signatures"
- Reply: Vanguard: "Re: Security flaw in how Outlook verifies digital signatures"
- Reply: Jeff Stephenson [MSFT]: "Re: Security flaw in how Outlook verifies digital signatures"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
