Security flaw in how Outlook verifies digital signatures

[Vanguard]

applies equally to all other forms of identification, too.

But it doens't matter. Justifying the failure of one supposedly
trusted
system by pointing out that other systems are as vunerable (a too wide
generalisaiton imho) does ZERO to address the failure of the first.
Certificates give the impression of trust and security. They aren't
trustworthy (as demonstrated).

Because you and Roberto are using security certificates for the wrong
purpose. They do not identify nor validate the sender. You're
complaining that a screwdriver doesn't do as good a job as a hammer.
Right tool for the right job. Certificates identify the author, not the
sender. Other proposals are in place, like Yahoo's DomainKeys and SPF
(Sender Policy Framework) to help identify the sender. These proposals,
by the way, only address identifying the sender, not the author
specified by the certificate used in signing the *content*. Sender and
author are different identities which may or may not be the same.

Please explain why equating the sender identity (which is a very
desirable function) to the content author is important. I get a
digitally signed e-mail from you. You are the author of the *content*
of that message. You might be the sender of that content. I then
forward as attachment your message onto someone else but I also
digitally sign my message. Should my digital signature wipe yours? No.
My digital signature applies to MY content, not to the attached file
which is someone ELSE's content. The recipient should know which
content was signed by me and which content was signed by you. However,
the recipient of my message sees ME as the sender although it includes
signed content from you. There can be more than one author within a
message and the digital signature only identifies one of them for the
content against which the certificate was used to encode the digital
signature. I don't get to include other authors in my digital signature
just so I can make one of them in that e-mail list happen to match my
e-mail address in the delivered message to the recipient. That is one
scenario in which multiple authors are contained with one message.

How do I equate sender with author in my digitally signed message that
gets sent out through a bulk mailing service, like when sending a
newsletter to my subscribers? The sender is definitely not me. How do
I even add the headers into my digitally signed message that aren't even
there until the message gets delivered to the mail server? The mail
server is going to add several headers to my e-mail that obviously I
won't have at the time I am composing my e-mail and opt to digitally
sign it. You have software that sees into the future and can add the
appropriate information into your application? Hindsight is the only
perfect science but it is always retrospective. You are asking
certificates to perform a function for an event that hasn't happened
yet!

E-mail delivery has been an easily spoofable communications medium. It
was designed 20 years ago before the explosion of web access back around
1992-1994, back when users were more trustworthy themselves. The
community was smaller, more professional, and much better educated.
Suggestions to provide a completely new and forcibly trusted e-mail
protocol to replace SMTP have fallen on deaf ears, so instead the
current proposals are patches to the existing SMTP protocol.

 

[Vanguard]

In Outlook Express the notice is pretty "scary", as the email is not
displayed, and is replaced with a "Security Warning" notice indicating
that the "The digital ID's e-mail address does not match sender's".

Although it is a warning, most users would interpret that as more than
just an informational message. Although programmers are used to seeing
warnings and understanding if they want to investigate them or not, the
typical end users will see it as an alarm. It is too harsh an alert as
it will probably mislead lots of users into thinking sender and author
really must be the same for the digital signature to be valid. The
message isn't harsh but "Security Warning" should be changed to
"Security Alert". The message should also explain the difference
between sender identity and author identity as should the documentation.

In both Netscape 7.2 client and Thunderbird there is a big red
question
mark above the digital signature icon, and clicking on it brings the
warning "Although the digital signature is valid, it is unknown
whether
the sender and the signer are the same person. The email address
listed
in the signer's certificacte is different from the email address that
was used to send this message. Please look at the details of the
signature to learn who signed the message".

That is a better method of alerting the user of the difference. The
question mark denotes an informational message and there is some more
explanation. In fact, it alerts the user that they really should be
looking at the certificate's author rather than relying on the sender
denoted in the headers.

Both of these approaches are fine, it is up to the vendor how to
notify
the user of the problem. ***As long s they are indeed notified that
something is potentially fishy***. Which Outlook is not doing at
all...
Yes, there is a (remote in my opinion) possibility that the message is
legitimate, but the software should inform the user that they need to
triple-check. Outlook completely ignores the fact the there's a high
probability the message is fake and does not notify the user. I don't
know why Microsoft is so stuck up with this thing, seing how instead
there's all sorts of popup messages and security notices to prevent
users from doing/opening other things...

I would agree that there should be something to alert that sender
identity and author identity do not match. It affords an extra comfort
level to the received message. However, if there is a difference, the
user shouldn't be scared into believing something nasty has occurred but
explain that there can be a difference and it behooves the user to
review the certificate's details rather than rely on the headers to
identify the sender. However, that same information should also inform
the user that sender and author need not be the same for the digitally
signed content to be valid. As mentioned in my other reply to Peter in
this thread, the sender might be relaying someone else's signed content,
like when I might forward your digitally signed message to another
recipient but I also sign my messages. Your signature should still
apply against your content and my signature should apply against my
content but the sender will be me rather than you. When using Exchange
as your mail server, you may even elect someone else as a delegate who
has the authority to send e-mails on your behalf, like a secretary
sending letters for their boss. When a delegate sends a message on
behalf of another person, the delegate will be the sender.

In Outlook, the certificate icon alerts the user that the message has
been digitally signed, so they can just double-click the icon to see who
was the author of the message. The certificate icon is your alert but
it is an alert presented for every signed message because it is a
reminder that you should look at the certificate to see who really was
the author. That icon itself is the trigger that I use to let me know a
message is signed, and if I want to verify who was the author then I go
look at the details in the certificate info. It's like walking through
the door with a set of chimes that jingle when the door hits them. The
icon is a repetitive reminder that you should check the certificate, not
the headers, to see who composed the message. I suppose Microsoft could
add an option that enables an alert to tell the user that the sender and
author are not the same. However, remember that Outlook Express is
oriented towards a different community of users than is Outlook.
Outlook Express is geared to the typical end user who probably should be
*strongly* reminded to check the details of the certificate. Outlook is
geared towards a business community who should be already familiar with
the use of certificates and against what portion of the e-mail they
apply. Different audiences, different behavior. Thunderbird is a good
alternative e-mail client but I don't see it becoming an
enterprise-level e-mail client for use in a business environment by
corporations. It is still geared towards single-use end users, most at
home, which is a lesser educated audience so they need a stronger
reminder.

 

[Roberto Franceschetti]

Vanguard,

SPF and DomainKeys do not "indentify" the sender. They are merely a way to
see if IP addreses are allowed to send email for a specific domain (I
develop SpamFilter ISP - it supports SPF, I know a bit about it...). So
let's stick with digital signatures please.

In regards to "Please explain why equating the sender identity (which is a
very

desirable function) to the content author is important" I believe I've
already done that, and obvious Outlook Express' developers, along with
Netscape's and Thunderbird have my same beliefs. You have 3 applications
that do exactly as I've been screaming for months now. If that does not
convince you, I don't know what would...

I seriously doubt that "Outlook's audience is more business oriented and
thus smarter and more knowledgeable". If that were the case, why did
Microsoft have to put so much security in place to block attachments and
popup all sorts of warnings to prevent users form doing stupid things? Heck,
if I was a smart user, I'd know when I can open an .exe or a .url file
without Outlook blocking it for me. Pardon the brutality, and no offense to
individuals, I'm referring to the average world here now. In the real world,
most Outlook users are as incompetent as home users, they should be
receiving the same warnings as are users of other clients....

Roberto Franceschetti
roberto at sign logsat.com

 

[Peter D]

Because you and Roberto are using security certificates for the wrong
purpose.

Huh? Moi? Think again. Not I. I'm trying to stay _on-track_ and raised the
legitimate rebuttal that you failed to defend the problem by demonstrating a
failure of other systems. It's a fallacy. One you continue to use. Pity.

 

[Vanguard]

Huh? Moi? Think again. Not I. I'm trying to stay _on-track_ and raised
the
legitimate rebuttal that you failed to defend the problem by
demonstrating a
failure of other systems. It's a fallacy. One you continue to use.
Pity.

Got something significant to add to the discussion - about certificates
and digital signatures?

 

[Peter D]

Got something significant to add to the discussion - about certificates
and digital signatures?

Probably not. You?