Security Vulnerability in Outlook 2007 email Encryption


O

ORTNPalms

I am using Outlook 2007 and Vista Ultimate. When someone with whom I have
exchanged digital ID's with sends me an encrypted e-mail and I attempt a
straight-forward "Reply To" there is an error message "Microsoft Outlook had
problems encrypting this message ... recipients had missing or invalid
certificates, or conflicting or unsupported encryption capabilities". The
choices offered are to send unencrypted or to cancel. However, send
unencrypted doesn't work. So then if I save the "Reply To" as a draft,
restart Outlook, and then send the draft, it appears (to me the sender) that
the Reply To message was sent as an encrypted e-mail. However the recipient
receives an UNENCRYPTED email. At least that's what I found, based on one
test.
 
Ad

Advertisements

V

VanguardLH

ORTNPalms said:
I am using Outlook 2007 and Vista Ultimate. When someone with whom I have
exchanged digital ID's with sends me an encrypted e-mail and I attempt a
straight-forward "Reply To" there is an error message "Microsoft Outlook had
problems encrypting this message ... recipients had missing or invalid
certificates, or conflicting or unsupported encryption capabilities". The
choices offered are to send unencrypted or to cancel. However, send
unencrypted doesn't work. So then if I save the "Reply To" as a draft,
restart Outlook, and then send the draft, it appears (to me the sender) that
the Reply To message was sent as an encrypted e-mail. However the recipient
receives an UNENCRYPTED email. At least that's what I found, based on one
test.

How does the "Reply To message" that was sent appear as an encrypted
message? Messages you send will never appear encrypted; otherwise, you
would not be able to read those e-mails that you composed.

When you receive an encrypted e-mail, just WHOSE certificate do you think
was involved in that encryption? It was YOUR e-mail certificate, not the
sender's.

If you want to *received* encrypted e-mails, you send someone a digitally
signed e-mail so they can save the public key for your e-mail cert. Then
when they send you an e-mail, they can choose to use YOUR public key to
encrypt their e-mail. When you receive that encrypted e-mail, you are the
only one that has the private key to do so. Anyone can encrypt e-mails
using your public key but only you can decrypt it using your private key.

If you want to *send* encrypted e-mails, you first have to get a digitally
signed e-mail from the other party. You have to save their public key (by
saving the contact info from that e-mail into your contacts). When you want
to send them an encrypted e-mail, you use THEIR public key. When they get
your encrypted e-mail, they use THEIR private key to decrypt it.

For someone to have sent you an encrypted e-mail means they had your public
key from your e-mail cert because you previously sent them a digitally
signed e-mail. So obviously you can read it because you have your private
key for that same e-mail cert. When you reply, you will need THEIR public
key to encrypt any e-mails you send back to them. So have they yet sent you
an e-mail that was digitally signed so you could save their public key?
When you reply, is their e-mail address to where you are sending the same
one as what got saved in their contact record in your Outlook? Certs are
specific to a particular e-mail address. When replying, you have to use the
contact record you saved when you previously saved them when you got a
digitally signed e-mail from them. Maybe you have more than one contact
record for that recipient and the one you use doesn't contain their public
key, or you didn't even use that saved contact record with their public key
when you replied to them.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top