This pops up some interesting questions.
Who is the average user going to believe the email is from?
The name in the 'from" field, or the name in the 'signed by' field?
Couple in some recipient confidence in one of the 'from' values, and the
signature means little or nothing, imho.
We still have enough problem with phishing emails, let alone training people
abut a new, but very rarely used feature in email.
Lyal
-----Original Message-----
From: Erwann Abalea [mailto:eabalea@certplus.com] On Behalf Of Erwann ABALEA
Sent: Saturday, 26 March 2005 3:50 AM
To: Roberto Franceschetti
Cc: bugtraq@securityfocus.com
Subject: Re: [bugtraq] Security Flaw with Digital signatures in Microsoft
Outlook
Bonjour,
Hodie VIII Kal. Apr. MMV est, Roberto Franceschetti scripsit:
The following one has been "hacked" so that the sender now appears to
be "Hackers Franceschetti" (hackers@logsat.com). Note that Outlook
states that the email is absolutely valid, and that the certificate is
Valid and Trusted. This is most definitely not the case, as I've
altered the original message to make it appear as a different person
actually sent it. Imagine the scenario where a digital signature is
supposed to unequivocally identify a sender, but now this email that
appears to be sent by "hackers" appears legitimate, and a poor victim
will trust it and send the hacker any confidential information he is
asked for... (follow the hyperlinks for the email's source):
It is clearly indicated "Signed by: roberto@logsat.com", what's the problem?
(see below)
Screenshot at http://www.logsat.com/Signatures/Hacked1.gif
Email's source at http://www.logsat.com/Signatures/Hacked1.msg
It's not an email, it's a binary message that can be opened only by
Microsoft Outlook. Could you please provide pure text messages? Same request
for your conversation between MS, CERT, and you.
This 3rd email is yet another variation showing how a digitally signed
email can further be forget without Outlook ever raising warning flags
(follow the hyperlinks for the email's source):
In your 2 examples, you aparently fail to notice that the envelope of the
message is not signed *at all*. What you're modifying in precisely this
envelope. What is really signed is the *body* of the message, that's all. If
you change the "From" address, or the subject, or the sending date, that
won't invalidate the signature.
I don't like to say this, but here, Microsoft did something useful for the
end user, by clearly displaying the identity of the signer, along with the
declared identity of the sender. If you want them to do more, that's
something else. But cryptographically speaking, the signatures haven't been
invalidated by your manipulations.
The full emails with the conversations between myself, Microsoft and
CERT can be found here (http://www.logsat.com/Signatures/emails.asp).
I hope that by making this information public all the users who rely
on digital signatures will be aware of this severe security flaw in
Microsoft Outlook, and will take other precautions to ensure the
identity of users in digitally signed emails they receive.
Could you reformat your web page? It's difficult to read, and .msg files
don't fit my Linux machine.
--
Erwann ABALEA <erwann.abalea@keynectis.com>
