Re: [Full-Disclosure] Signed e-mail vs. turning off HTML mail under XP
Like I said, Outlook Express (even in the header) not Mozilla. And the problem is not with signature verification FWIW, but access to the message itself. I am not claiming the cert stuff doesn't work, just pointing at a downside in turning of HTML mail. So that is the case, i am sorry you did not understand that I was not referring to the software you are using. - Original Message - From: Michael Sierchio [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, October 11, 2003 2:48 AM Subject: Re: [Full-Disclosure] Signed e-mail vs. turning off HTML mail under XP yossarian wrote: The problem is that by turning off HTML for e-mail as a security measure, you disable the correct use of digitally signed e-mail, which by design is a security measure. Not the case, AFAIK -- S/MIME doesn't depend on how you view the document. At least w/Mozilla (currently in use here) S/MIME signatures are verified even though the HTML is not rendered. -- Well, Brahma said, even after ten thousand explanations, a fool is no wiser, but an intelligent man requires only two thousand five hundred. - The Mahabharata ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Signed e-mail vs. turning off HTML mail under XP
Today I had the pleasure of receiving a digitally signed e-mail on my newest machine, running XP Pro. Since it is intended for business use, and connected to the internet, I am about halfway hardening it. One of the things I did was turn off HTML e-mail in OE (6 Sp1). On receiving a digitally signed e-mail, I got OE asking me whether: Security Help Digitally Signed Message This message has been digitally signed by the sender. Signed e-mail from others allows you to verify the authenticity of a message -- that the message is from the supposed sender and that it has not been tampered with during transit. Signed mail messages are designated with the signed mail icon. Any problems with a signed message will be described in a Security Warning which may follow this one. If there are problems, you should consider that the message was tampered with or was not from the supposed sender. Don't show me this Help screen again. Continue Alas, the Continue button was just text, just as the tick box to not show me this help screen again was not there. This means I'll have to re-enable HTML mail, and wait for the next signed mail to arrive.to turn it off. I wonder what will happen to messages that have been tampered with when I have turned off HTML mail? I will probably get a warning, but will not be able to go beyond that, since it is in ASCII and that does not (AFAIK) support nice buttons. So in order to enable signed mail, I will have to enable HTML in my mail Have a nice day, ya'all Yossarian ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Signed e-mail vs. turning off HTML mail under XP
Alas, the Continue button was just text, just as the tick box to not show me this help screen again was not there. This means I'll have to re-enable HTML mail, and wait for the next signed mail to arrive.to turn it off. I wonder what will happen to messages that have been tampered with when I have turned off HTML mail? I will probably get a warning, but will not be able to go beyond that, since it is in ASCII and that does not (AFAIK) support nice buttons. So in order to enable signed mail, I will have to enable HTML in my mail Good evening Yossarian, I'm sorry, do I understand correctly when you say that the mechanism for verifying / managing signed e-mail seemed to be included within the e-mail itself -- in html, no less? Although I'm unfamiliar with certificate-based digitally-signed e-mail (I'm a pgp/gpg kind of guy) I can't help but be very suspicious. Also, you mentioned that the machine will be used for business purposes and (directly?) connected to the internet. Might I recommend against using OE for e-mail? Mozilla Thunderbird is what I recommend for Microsoft folks. take care, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Signed e-mail vs. turning off HTML mail under XP
Alas, the Continue button was just text, just as the tick box to not show me this help screen again was not there. This means I'll have to re-enable HTML mail, and wait for the next signed mail to arrive.to turn it off. I wonder what will happen to messages that have been tampered with when I have turned off HTML mail? I will probably get a warning, but will not be able to go beyond that, since it is in ASCII and that does not (AFAIK) support nice buttons. So in order to enable signed mail, I will have to enable HTML in my mail Good evening Yossarian, I'm sorry, do I understand correctly when you say that the mechanism for verifying / managing signed e-mail seemed to be included within the e-mail itself -- in html, no less? Although I'm unfamiliar with certificate-based digitally-signed e-mail (I'm a pgp/gpg kind of guy) I can't help but be very suspicious. Also, you mentioned that the machine will be used for business purposes and (directly?) connected to the internet. Might I recommend against using OE for e-mail? Mozilla Thunderbird is what I recommend for Microsoft folks. The problem is that by turning off HTML for e-mail as a security measure, you disable the correct use of digitally signed e-mail, which by design is a security measure. I cannot verify this behaviour for Outlook since I have no working system with said software I am not saying anything about the usefullness (or the opposite) of this signing technology or its alternatives, since everything that needs to be said about it is all over the Internet. Like I said, it is a new machine. Since my business IS security, I use on some systems what Joe Average uses. So I use MS boxes in daily routine work - it keeps me very up to date on threats. Sort of Honeypot thingie but since it is partly production, I have to solve every prob encountered Living dangerously on the web. Top O' the morning - it is past midnight! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Signed e-mail vs. turning off HTML mail under XP
yossarian wrote: The problem is that by turning off HTML for e-mail as a security measure, you disable the correct use of digitally signed e-mail, which by design is a security measure. Not the case, AFAIK -- S/MIME doesn't depend on how you view the document. At least w/Mozilla (currently in use here) S/MIME signatures are verified even though the HTML is not rendered. -- Well, Brahma said, even after ten thousand explanations, a fool is no wiser, but an intelligent man requires only two thousand five hundred. - The Mahabharata ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html