Bugtraq: Re: Security Flaw with Digital signatures in Microsoft Outlook

["Anthony G. Atkielski" <anthony () atkielski com>]

Roberto writes:

> This 3rd email is yet another variation showing how a digitally
> signed email can further be forget without Outlook ever raising
> warning flags (follow the hyperlinks for the email's source):
Digitally-signed messages cannot be forged.  However, only the body of a
digitally-signed message is actually included in the text covered by the
signature; the headers are excluded.  That's not an Outlook
idiosyncrasy, it's just the way signed e-mail works.

In every screenshot you provide, Outlook correctly identifies the party
that created the digital signature.  That's what a security-conscious
user will check.  And the text of the message has not been changed, so
the signature is still valid, and no forgery has occurred.

I'm afraid I don't see any problem here.  Yes, it's inconvenient that
one can forge the "From" line of a message, but in secure e-mail, one
doesn't rely on the "From" line, anyway, precisely because it can be so
easily forged.  I suppose it might be nice if Outlook made the
discrepancy between the "From" line and the signer's authenticated
identity a bit more obvious, but that's not a security breach, just an
ergonomic issue.

--
Anthony