Re: [Full-Disclosure] Signed e-mail vs. turning off HTML mail under XP

From: yossarian (
Date: 10/11/03

  • Next message: Bobby Brown: "RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability"
    To: Cael Abal <>,
    Date: Sat, 11 Oct 2003 01:41:33 +0200

    > > Alas, the Continue button was just text, just as the tick box to not
    show me
    > > this help screen again was not there. This means I'll have to re-enable
    > > mail, and wait for the next signed mail to turn it off. I
    > > wonder what will happen to messages that have been tampered with when I
    > > turned off HTML mail? I will probably get a warning, but will not be
    able to
    > > go beyond that, since it is in ASCII and that does not (AFAIK) support
    > > buttons. So in order to enable signed mail, I will have to enable HTML
    in my
    > > mail....

    > Good evening Yossarian,
    > I'm sorry, do I understand correctly when you say that the mechanism for
    > verifying / managing signed e-mail seemed to be included within the
    > e-mail itself -- in html, no less? Although I'm unfamiliar with
    > certificate-based digitally-signed e-mail (I'm a pgp/gpg kind of guy) I
    > can't help but be very suspicious.
    > Also, you mentioned that the machine will be used for business purposes
    > and (directly?) connected to the internet. Might I recommend against
    > using OE for e-mail? Mozilla Thunderbird is what I recommend for
    > Microsoft folks.

    The problem is that by turning off HTML for e-mail as a security measure,
    you disable the correct use of digitally signed e-mail, which by design is a
    security measure. I cannot verify this behaviour for Outlook since I have no
    working system with said software....
    I am not saying anything about the usefullness (or the opposite) of this
    signing technology or its alternatives, since everything that needs to be
    said about it is all over the Internet.

    Like I said, it is a new machine. Since my business IS security, I use on
    some systems what Joe Average uses. So I use MS boxes in daily routine
    work - it keeps me very up to date on threats. Sort of Honeypot thingie but
    since it is partly production, I have to solve every prob encountered....
    Living dangerously on the web.

    Top O' the morning - it is past midnight!

    Full-Disclosure - We believe in it.

  • Next message: Bobby Brown: "RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability"