Re: Security flaw in how Outlook verifies digital signatures

From: Vanguard (use_ReplyTo_at_domain.invalid)
Date: 02/22/05 

Date: Tue, 22 Feb 2005 13:27:07 -0600

"Roberto Franceschetti" <roberto@logsat.com> wrote in message
news:1109077986.716751.177980@z14g2000cwz.googlegroups.com...
> In Outlook Express the notice is pretty "scary", as the email is not
> displayed, and is replaced with a "Security Warning" notice indicating
> that the "The digital ID's e-mail address does not match sender's".

Although it is a warning, most users would interpret that as more than
just an informational message. Although programmers are used to seeing
warnings and understanding if they want to investigate them or not, the
typical end users will see it as an alarm. It is too harsh an alert as
it will probably mislead lots of users into thinking sender and author
really must be the same for the digital signature to be valid. The
message isn't harsh but "Security Warning" should be changed to
"Security Alert". The message should also explain the difference
between sender identity and author identity as should the documentation.

> In both Netscape 7.2 client and Thunderbird there is a big red
> question
> mark above the digital signature icon, and clicking on it brings the
> warning "Although the digital signature is valid, it is unknown
> whether
> the sender and the signer are the same person. The email address
> listed
> in the signer's certificacte is different from the email address that
> was used to send this message. Please look at the details of the
> signature to learn who signed the message".

That is a better method of alerting the user of the difference. The
question mark denotes an informational message and there is some more
explanation. In fact, it alerts the user that they really should be
looking at the certificate's author rather than relying on the sender
denoted in the headers.

> Both of these approaches are fine, it is up to the vendor how to
> notify
> the user of the problem. ***As long s they are indeed notified that
> something is potentially fishy***. Which Outlook is not doing at
> all...
> Yes, there is a (remote in my opinion) possibility that the message is
> legitimate, but the software should inform the user that they need to
> triple-check. Outlook completely ignores the fact the there's a high
> probability the message is fake and does not notify the user. I don't
> know why Microsoft is so stuck up with this thing, seing how instead
> there's all sorts of popup messages and security notices to prevent
> users from doing/opening other things...

I would agree that there should be something to alert that sender
identity and author identity do not match. It affords an extra comfort
level to the received message. However, if there is a difference, the
user shouldn't be scared into believing something nasty has occurred but
explain that there can be a difference and it behooves the user to
review the certificate's details rather than rely on the headers to
identify the sender. However, that same information should also inform
the user that sender and author need not be the same for the digitally
signed content to be valid. As mentioned in my other reply to Peter in
this thread, the sender might be relaying someone else's signed content,
like when I might forward your digitally signed message to another
recipient but I also sign my messages. Your signature should still
apply against your content and my signature should apply against my
content but the sender will be me rather than you. When using Exchange
as your mail server, you may even elect someone else as a delegate who
has the authority to send e-mails on your behalf, like a secretary
sending letters for their boss. When a delegate sends a message on
behalf of another person, the delegate will be the sender.

In Outlook, the certificate icon alerts the user that the message has
been digitally signed, so they can just double-click the icon to see who
was the author of the message. The certificate icon is your alert but
it is an alert presented for every signed message because it is a
reminder that you should look at the certificate to see who really was
the author. That icon itself is the trigger that I use to let me know a
message is signed, and if I want to verify who was the author then I go
look at the details in the certificate info. It's like walking through
the door with a set of chimes that jingle when the door hits them. The
icon is a repetitive reminder that you should check the certificate, not
the headers, to see who composed the message. I suppose Microsoft could
add an option that enables an alert to tell the user that the sender and
author are not the same. However, remember that Outlook Express is
oriented towards a different community of users than is Outlook.
Outlook Express is geared to the typical end user who probably should be
*strongly* reminded to check the details of the certificate. Outlook is
geared towards a business community who should be already familiar with
the use of certificates and against what portion of the e-mail they
apply. Different audiences, different behavior. Thunderbird is a good
alternative e-mail client but I don't see it becoming an
enterprise-level e-mail client for use in a business environment by
corporations. It is still geared towards single-use end users, most at
home, which is a lesser educated audience so they need a stronger
reminder. 

-- 
____________________________________________________________
Post your replies to the newsgroup.  Share with others.
E-mail reply: Remove "NIXTHIS" and add "#VS811" to Subject.
____________________________________________________________

Relevant Pages