| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <834656028.20050325222027@atkielski.com> Date: Fri, 25 Mar 2005 22:20:27 +0100 From: "Anthony G. Atkielski" <anthony@...ielski.com> To: bugtraq@...urityfocus.com Subject: Re: Security Flaw with Digital signatures in Microsoft Outlook Roberto writes: > This 3rd email is yet another variation showing how a digitally > signed email can further be forget without Outlook ever raising > warning flags (follow the hyperlinks for the email's source): Digitally-signed messages cannot be forged. However, only the body of a digitally-signed message is actually included in the text covered by the signature; the headers are excluded. That's not an Outlook idiosyncrasy, it's just the way signed e-mail works. In every screenshot you provide, Outlook correctly identifies the party that created the digital signature. That's what a security-conscious user will check. And the text of the message has not been changed, so the signature is still valid, and no forgery has occurred. I'm afraid I don't see any problem here. Yes, it's inconvenient that one can forge the "From" line of a message, but in secure e-mail, one doesn't rely on the "From" line, anyway, precisely because it can be so easily forged. I suppose it might be nice if Outlook made the discrepancy between the "From" line and the signer's authenticated identity a bit more obvious, but that's not a security breach, just an ergonomic issue. -- Anthony
Powered by blists - more mailing lists