Full Disclosure: Re: Microsoft Outlook Vulnerability: S/MIMELossof Integrity

Re: Microsoft Outlook Vulnerability: S/MIMELossof Integrity

From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 17 Jun 2013 14:53:28 -0400

On Mon, Jun 17, 2013 at 2:49 PM, Daniël W. Crompton <
daniel.crompton () gmail com> wrote:


how would that work? AKAIK S/MIME is public key cryptography, how would
you decrypt a message which is not encrypted with your public key?


Exactly. How does one decrypt when they don't hold the private key.  That
magic button would come in handy for a lot of folks.

Jeff


On 17 June 2013 20:17, Jeffrey Walton <noloader () gmail com> wrote:

On Mon, Jun 17, 2013 at 11:19 AM, ACROS Security Lists <lists () acros si>
wrote:

Valdis,

No, that's how to do it *hardline*.  There's many in the
security industry that will explain to you that it's also
doing it *wrong*.  Hint - the first time that HR sends out a
posting about a 3-day window next week to change your
insurance plan without penalty, signs it with something that
doesn't match the From:, and the help desk is deluged by
phone calls from employees who can't read the mail, the guy
who put "You shall not pass" in place will be starting a job hunt.


If there was an industry standard specifying the you-shall-not-pass for

all web

browsers, it wouldn't be the guy (developer) who put this roadblock in

place that

would start a job hunt but someone within the company whose job was to

avoid the

roadblock by making sure the cert that HR is using was okay. That would

happen a

couple of times, and then not any more, as people have great capacity

for learning.


....
... If I get an encrypted
message that was mistakenly not encrypted with my key, it would be very

productive to

have a "Just decrypt anyway" button but we obviously don't have that. ...

A lot of folks would like to have that button ;)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Microsoft Outlook Vulnerability: S/MIME Loss of Integrity Defence in Depth (Jun 15)
- Re: Microsoft Outlook Vulnerability: S/MIME Loss of Integrity Valdis . Kletnieks (Jun 17)
  - Re: Microsoft Outlook Vulnerability: S/MIME Lossof Integrity ACROS Security Lists (Jun 17)
    - Re: Microsoft Outlook Vulnerability: S/MIME Lossof Integrity Valdis . Kletnieks (Jun 17)
    - Re: Microsoft Outlook Vulnerability: S/MIMELossof Integrity ACROS Security Lists (Jun 17)
    - Re: Microsoft Outlook Vulnerability: S/MIMELossof Integrity Jeffrey Walton (Jun 17)
    - Re: Microsoft Outlook Vulnerability: S/MIMELossof Integrity Daniël W . Crompton (Jun 17)
    - Re: Microsoft Outlook Vulnerability: S/MIMELossof Integrity Jeffrey Walton (Jun 17)
  - Re: Microsoft Outlook Vulnerability: S/MIME Loss of Integrity Patrick Dunstan (Jun 17)
    - Re: Microsoft Outlook Vulnerability: S/MIME Loss of Integrity Jeffrey Walton (Jun 17)
    - Re: Microsoft Outlook Vulnerability: S/MIME Loss of Integrity Darius Jahandarie (Jun 18)
    - Re: Microsoft Outlook Vulnerability: S/MIME Loss of Integrity Alex (Jun 18)