Re: Security Flaw with Digital signatures in Microsoft Outlook
Roberto writes:
> This 3rd email is yet another variation showing how a digitally
> signed email can further be forget without Outlook ever raising
> warning flags (follow the hyperlinks for the email's source):
Digitally-signed messages cannot be forged. However, only the body of a
digitally-signed message is actually included in the text covered by the
signature; the headers are excluded. That's not an Outlook
idiosyncrasy, it's just the way signed e-mail works.
In every screenshot you provide, Outlook correctly identifies the party
that created the digital signature. That's what a security-conscious
user will check. And the text of the message has not been changed, so
the signature is still valid, and no forgery has occurred.
I'm afraid I don't see any problem here. Yes, it's inconvenient that
one can forge the "From" line of a message, but in secure e-mail, one
doesn't rely on the "From" line, anyway, precisely because it can be so
easily forged. I suppose it might be nice if Outlook made the
discrepancy between the "From" line and the signer's authenticated
identity a bit more obvious, but that's not a security breach, just an
ergonomic issue.
--
Anthony