Bugtraq: Re: Security Flaw with Digital signatures in Microsoft Outlook

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Security Flaw with Digital signatures in Microsoft Outlook

From: <dori () we-can co il>
Date: 29 Mar 2005 04:18:21 -0000

In-Reply-To: <20050325202052.15663.qmail () www securityfocus com>

Mr Roberto managed to change email headers  from address.

Security Professionals know the email headers can't be trusted and can be easily forged.
Most Outlook users *do not*.

The signed by and the certificate signer remain valid  so its issue of educating users to look at the "signed by" 
field , and not the from address.

This "Feature / Flaw" can be the source of some problematic phishing scams:
if i buy a certificate for some-user () company com
and send a forged email with "from" helpdesk () company com, signed by that some-user () company com
I'm sure it can get the passwords from most of the users.

I'm sure some ppl will take this further and we are going to see this trend in phishing evolving quickly.

Dori Fisher,
We! Consulting group.

By Date By Thread

Current thread:

Security Flaw with Digital signatures in Microsoft Outlook Roberto Franceschetti (Mar 25)
- RE: Security Flaw with Digital signatures in Microsoft Outlook Adrian Floarea (Mar 25)
- Re: [bugtraq] Security Flaw with Digital signatures in Microsoft Outlook Erwann ABALEA (Mar 25)
  - RE: [bugtraq] Security Flaw with Digital signatures in Microsoft Outlook Lyal Collins (Mar 26)
- Re: Security Flaw with Digital signatures in Microsoft Outlook Anthony G. Atkielski (Mar 26)
- <Possible follow-ups>
- Re: Security Flaw with Digital signatures in Microsoft Outlook dori (Mar 29)