Re: Important note about NoHTML and Outlook 2002

From: Toby Beaumont (Toby@CREATORCOMMUNICATIONS.COM)
Date: 12/18/01


Date:         Tue, 18 Dec 2001 09:17:24 -0000
From: Toby Beaumont <Toby@CREATORCOMMUNICATIONS.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Nick Wrote:

And, because it's from Microsoft, they only did it half-a$$ed --
digitally signed and encrypted messages will *not* be affected by the MS
"ReadAs Plain". Reading the KB article carefully suggests some
interesting things about Outlook's internal message handling and
strongly suggests that this MS "fix" to a problem entirely of MS' making
is applied at the wrong point in the message handling code.

===

2 things:

1. Why is this "entirely of MS' making"? - I'm not defending them, but
there's isn't the only email application that supports HTML.

2. I disagree with this being "half-assed" - (RE: My previous email
Russ). Messages that are digitally signed and encrypted are treated by
Outlook in a similar way as a signed ActiveX control would be on a web
page. Since IE does not convert all web pages (signed or unsigned) to
plain text, is this half-assed too?

(NB: One of the attributes of a signed or encrypted email is that it's
certificate is _only valid_ if the contents of the email have not been
altered since it was first signed. Converting to plain text would
therefore invalidate the certificate.)

For this and probably many other reasons, I do not think Microsoft, in
the foreseeable future, are going to take the security issue of HTML in
email to a level where subscribers of this list will ever consider it
anything but "half-assed".

So in the meantime, rather than wait to see if Microsoft change their
attitudes on this (which even if they do, is likely to be later rather
than sooner), implement your own security measures. A Linux system
running "sendmail" can, with the use of Perl (or similar language), scan
all incoming messages looking for the "content-type: text/html" and
strip out everything between the multipart MIME boundaries. Sendmail
then forwards all mail to your normal mail gateway. You may be left with
nothing but at least you can feel safe.

======================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
======================================
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will
learn everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016065650057000
======================================



Relevant Pages

  • Re: Password Protection
    ... which part of "(as plain text)" don't you understand? ... You are broadly correct that any encryption would work, ... bother to have the facility as it is just a potential security hole. ... take into consideration simply deleting the password in the Registry. ...
    (microsoft.public.vb.general.discussion)
  • RE: Views
    ... you must understand that SQL Server 2000 does not support ... database data encryption as such. ... following method in the KB below to enhance the security. ... Microsoft is providing this information as a convenience to you. ...
    (microsoft.public.sqlserver.programming)
  • Re: Chinese hackers steal code for Joint Strike Fighter and more
    ... Microsoft did not have a patch for this flaw for weeks. ... VPN's and encryption does't help. ... Security is always a budget problem. ...
    (rec.crafts.metalworking)
  • Re: Cannot access files after major crash
    ... "Microsoft has done it again". ... Did you read all pertinent data about encryption in Help and Support ... >>> Microsoft Support Rep it appeared that all the security ...
    (microsoft.public.windowsxp.security_admin)
  • Re: how to encrypt the 10-digit values into encrypted 10-digit values?
    ... I have an assignment about increasing the security of the ... if you have 1 billion clear values, then encryption is ... useless if the number of plain text values approaches the size of the ... Keep the two lists secret and only give the ...
    (sci.crypt)