Re: Security flaw in how Outlook verifies digital signatures
From: Jeff Stephenson [MSFT] (stephenson_at_online.microsoft.com)
Date: 02/20/05
- Next message: Michael Bednarek: "Re: New mail in Outlook 2000 had a better appearance than Outlook 2003"
- Previous message: Karl Burrows: "Toolbars Keep Jumping Around"
- In reply to: Roberto Franceschetti: "Re: Security flaw in how Outlook verifies digital signatures"
- Next in thread: Roberto Franceschetti: "Re: Security flaw in how Outlook verifies digital signatures"
- Reply: Roberto Franceschetti: "Re: Security flaw in how Outlook verifies digital signatures"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 19 Feb 2005 23:08:06 -0800
On Sat, 19 Feb 2005 05:13:53 GMT, Roberto Franceschetti wrote:
> Simple exploit. I use my own Verisign digital certificate to sign an email.
> I then alter the from in the email to make it appear from Microsoft. I then
> send the signed email to my competitor. He sees an email coming from
> Microsoft, digitally signed, with a valid signature, but unfortunately he's
> using Outlook which does not warn him that the sender does not match the
> certificate (if he had only used Mozilla or Outlook Express he'd see flags
> everywhere...)
And apparently your competitor also didn't bother reading the line in the
message that said "Signed by: Roberto Franceschetti".
You're totally ignoring the fact that there is more displayed than the fact
that the message is signed - *who* signed it is also displayed. So your
exploit won't work, except on the same people that are turning their bank
account numbers over to Nigerians to help them transfer money...
> Yes, if you look deep down in the signature a *very* computer-savvy user
> will eventually understand that the sender is not really the person who
> signed the email. But I stress on the computer savvy words. Your average and
> even above average computer user will have no idea that the email was not
> from Microsoft, as the vast majosrity of users have no idea how these
> certificates work. They just care about "the email is digitally signed" and
> "my email program says it's valid".
You don't have to be particularly savvy to be able to read the line that
says "Signed by: Roberto Franceschetti". Outlook tells you that the
message was signed by a valid certificate and it tells you whose
certificate it is without any need to delve into the details. It's all
right there in plain view. What it *doesn't* do is start raising bogus red
flags about legitimately signed mail that is sent by someone other than the
person that signed it. Go back and read the mail posted on your site for
examples of such legitimate uses...
-- Jeff Stephenson Outlook Development This posting is provided "AS IS" with no warranties, and confers no rights
- Next message: Michael Bednarek: "Re: New mail in Outlook 2000 had a better appearance than Outlook 2003"
- Previous message: Karl Burrows: "Toolbars Keep Jumping Around"
- In reply to: Roberto Franceschetti: "Re: Security flaw in how Outlook verifies digital signatures"
- Next in thread: Roberto Franceschetti: "Re: Security flaw in how Outlook verifies digital signatures"
- Reply: Roberto Franceschetti: "Re: Security flaw in how Outlook verifies digital signatures"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
