Re: [Full-Disclosure] Signed e-mail vs. turning off HTML mail under XP

From: yossarian (yossarian_at_planet.nl)
Date: 10/11/03

  • Next message: Bobby Brown: "RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability"
    To: Cael Abal <lists@onryou.com>, full-disclosure@lists.netsys.com
    Date: Sat, 11 Oct 2003 01:41:33 +0200
    
    

    > > Alas, the Continue button was just text, just as the tick box to not
    show me
    > > this help screen again was not there. This means I'll have to re-enable
    HTML
    > > mail, and wait for the next signed mail to arrive.....to turn it off. I
    > > wonder what will happen to messages that have been tampered with when I
    have
    > > turned off HTML mail? I will probably get a warning, but will not be
    able to
    > > go beyond that, since it is in ASCII and that does not (AFAIK) support
    nice
    > > buttons. So in order to enable signed mail, I will have to enable HTML
    in my
    > > mail....

    > Good evening Yossarian,
    >
    > I'm sorry, do I understand correctly when you say that the mechanism for
    > verifying / managing signed e-mail seemed to be included within the
    > e-mail itself -- in html, no less? Although I'm unfamiliar with
    > certificate-based digitally-signed e-mail (I'm a pgp/gpg kind of guy) I
    > can't help but be very suspicious.
    >
    > Also, you mentioned that the machine will be used for business purposes
    > and (directly?) connected to the internet. Might I recommend against
    > using OE for e-mail? Mozilla Thunderbird is what I recommend for
    > Microsoft folks.

    The problem is that by turning off HTML for e-mail as a security measure,
    you disable the correct use of digitally signed e-mail, which by design is a
    security measure. I cannot verify this behaviour for Outlook since I have no
    working system with said software....
    I am not saying anything about the usefullness (or the opposite) of this
    signing technology or its alternatives, since everything that needs to be
    said about it is all over the Internet.

    Like I said, it is a new machine. Since my business IS security, I use on
    some systems what Joe Average uses. So I use MS boxes in daily routine
    work - it keeps me very up to date on threats. Sort of Honeypot thingie but
    since it is partly production, I have to solve every prob encountered....
    Living dangerously on the web.

    Top O' the morning - it is past midnight!

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Bobby Brown: "RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability"

    Relevant Pages

    • Re: Web browser comparison/problem
      ... that when it comes to security it is the ONLY one I recommend. ... I'd leave the default IE browser coming with Windows OS to the ... so I was offering one opinion based on my own experiences here. ...
      (comp.sys.ibm.pc.games.action)
    • Re: [SLE] Proposal:TML. HTML without the H for markind up mail, etc.
      ... On Sunday 15 February 2004 01:52, Vince Littler wrote: ... >> It is not objectionable ONLY because of security issues, ... HTML is not a complete ... > plain ascii than ever you could with formatting. ...
      (SuSE)
    • Re: Web browser comparison/problem
      ... that when it comes to security it is the ONLY one I recommend. ... I'd leave the default IE browser coming with Windows OS to the ... so I was offering one opinion based on my own experiences here. ...
      (comp.sys.ibm.pc.games.action)
    • RE: Protecting Web Files from Direct Access
      ... built-in security of a kind. ... Forms Authentication automatically redirects users who access pages on your ... I'm trying to figure out how to rewrite an HTML ... page so that it performs the function of the HTML whilst being an ASPX page. ...
      (microsoft.public.dotnet.security)
    • RE: Using ISA for 1 IP Address on net with hardware firewall on other
      ... Security can be a bit tricky, ... Server Publishing OWA, the default SBS2K3 installation ... does not recommend this and I concur, ... deploy OWA on its own virtual website. ...
      (microsoft.public.isa)