Re: The whole Process

From: Michel Gallant (neutron_at_istar.ca)
Date: 04/16/04 

Date: Fri, 16 Apr 2004 16:28:47 -0400

Yup, I'll "sign" up to most of that.
 
However, I get this nagging feeling that hackers are just waiting in the
wings with very slickly engineered hacks-up-their-sleeves which will
target those official looking embedded signature icons such as pasted
above, or perhaps (as we've seen with IE chrome) modifying your favorite
S/MIME aware application to fool you :-)

=== MIAG

"Neb Okla" <n_okla@hotmail.com> wrote in message news:uLWfc.27734$B%4.10757@fe2.columbus.rr.com...
>
> "Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
> news:uLXLYb9IEHA.1388@TK2MSFTNGP10.phx.gbl...
> > "Sergio Dutra [MS]" <sergiod@online.microsoft.com> wrote in message
> > news:e1lFT$8IEHA.376@tk2msftngp13.phx.gbl...
> > -- snip
> >
> > > What you're describing is a digital signature - that is, you encrypt
> > > something with your private key so that anyone with your public key can
> > > decrypt it. It's only value is that it proves the message came from you.
> >
> > But oh what "value" ... imo probably MORE important these days than
> > protecting privacy of information. Think about the number of slick
> > non-authenticated (but fooled a lot of folks) messages purporting to
> > come from Microsoft?
>
> You also have to keep in mind that encryption is irrelevant if you don't
> know who sent the encrypted message.
>
> Digital signatures ensure two things. The first is that the message
> originated from the claimed sender. The second is that the message was not
> modified in transit.
>
> We don't have to look far (check your on mailbox, or favorite newsgroup) to
> find examples of messages sent by people who spoof their identity. Most
> Spam and Virues are propogated this way, so my friends and colleagues know
> that if a message was sent unsigned, it wasn't sent from me. And I have
> them trained to notify me when they recieve a message that is unsigned or
> has an invalid signature. It happens more often than you'd think -
> especially since spammers often obtain their "to" and "from" addresses from
> the same list of victims.
>
> I can't tell you how many times I get automated email responses from AV
> software all over the world expalining that I have a virus on my machine
> because I sent a message to their company. All of these rejected messages
> are unsigned. And most viruses use the same tactic as spammers - by lifting
> the "from" address from the infected PC's address book to prevent people
> from notifying the actual victim that their machine is infected.
>
> I also frequently encounter cases where ISP's forcibly insert advertisments
> into email after it has been sent - or otherwise edit the contents of
> emails. A signed message notifies the recipient that they should check with
> me if they want to be sure they have recieved the true meaning of my email.
>
> And of course there is the case of "phishing" - a problem so crafty that I
> can't understand why every company doesn't digitally sign all out-bound
> correspondence with customers - especially banks and online retailers.
> There are inexpensive systems that automatically sign each outbound email as
> originating from the company - and if consumers were trained to check for
> this (as they have been trained to look for the "SSL Lock" on secure
> websites) it would be more difficult to fool them.
>
> I think this is wishful thinking in a world where most email passwords are
> sent cleartext. 8-)
>
>
> So we've established that digital signatures have "value" - the question is,
> how to make it convenient and easy such that the average user (like my mom!)
> can benefit.
>
> Luckily, there is already an answer. While most digital signature
> validation schemes require a plugin, S/MIME signature validation has been
> embedded in email and news clients from Microsoft and Netscape for years.
> More recently, IBM and Apple joined the party, and in Mac OS X, even Mac
> Mail supports S/MIME digitally signed or encrypted messages. Clients with
> native support are also freely available for Solaris and Linux machines.
> It's estimated that 90% of the email clients in the world support S/MIME.
> Best of all, since it is integrated into the client, validation requires no
> user intervention or configuration. If you're using an NNTP client that
> supports S/MIME, you validated this message when you opened it - with zero
> effort on your part.
>
> This is the key part since such a vast majority of computer users can
> benefit from the technology without understanding it.
>
>
> > Heck, there are a lot of naive folks who would even be fooled by the PGP
> > signatures commonly found on MS bulletins (that most folks know nothing
> about verifying!).
>
> It is true that novice users may assume that because a message is PGP-signed
> that it must be valid. In fact, this view is not restricted to novice
> users. Recently Spammers illustrated this perception problem by forging PGP
> signatures and getting the "green light" to bypass SpamAssassin
> <http://www.silicon.com/research/specialreports/thespamreport/0,39025001,100
> 06378,00.htm>. The signatures were never checked for validity - but they
> were tagged as legitimate simply because they appeared to be properly
> signed.
>
> I'd like to see an added feature in the next version of Outlook. I'd like
> it to verify any S/MIME signed emails and if they contain a VALID signature,
> then I would like them to be forwarded to me. This would ensure that the
> sender had a valid return email address - and the solution should also allow
> me to block all messages signed by a specific ID (this should also be added
> to IE to allow users to refuse ALL downloads from spyware companies - even
> though they are digitally signed).
>
> Anyway, the problem with "assumed validity" and PGP should be reason enough
> that Microsoft switch to S/MIME for it's Security Bulletins.
>
> To be nice to the PGP users, I have found that both signature types can
> co-exist, so if MS wanted, they could sign their bulletins with S/MIME and
> PGP allowing novice users to benefit from the auto-verification features of
> S/MIME that they already have - while still allowing cryptomaniacs to verify
> the message integrity manually with PGP. Of course, PGP users who use an
> S/MIME compliant email client would be double-validating the message, but
> I've met some hard-core types who S/MIME and PGP sign every email. 8-)
>
>
> > Still don't understand why Microsoft doesn't use more of their own
> implemented
> > signature verification infrastructure (and S/MIME signed email) to
> authentication
> > messages they post!
>
> It's a very good question - and one that I haven't seen answered yet. Mike
> Nash, in a chat I was in the other day said "that's a great idea - we'll
> look into it". It will be interesting to see if such an obvious and
> beneficial security solution. It definately falls into the category of "low
> hanging fruit".
>
> In fact, MS using PGP to sign instead of S/MIME is a little like the
> situation I encountered with Network Solutions (Verisign). Even though they
> were owned by Verisign at the time, they were unable and unwilling to send
> me a password via Verisign (X509) encrypted email. Instead we had to rely
> on the highly secure technology of "the telephone" to provide me with the
> password. Of course, with a phone you can't really verify who is on the
> other end - which brings us back to why identity verification has value in
> secure communications.
>
>
> > Go X509-Sigs Go!
> >
> > - Mitch
>
> ...yeah! What he said!
>
>
> --
> *** Secure Digitally Signed Email Tutorial *** - Fight Spam, Viruses,
> Spoofing and in-transit email modification with your email software's
> security features! http://www.marknoble.com/tutorial/smime/smime.aspx
> ----------------------------------------------------------------------------
>

Relevant Pages

  • Re: The whole Process
    ... While most digital signature ... embedded in email and news clients from Microsoft and Netscape for years. ... Mail supports S/MIME digitally signed or encrypted messages. ... Recently Spammers illustrated this perception problem by forging PGP ...
    (microsoft.public.platformsdk.security)
  • Re: The whole Process
    ... That's why I use a Hotmail account with my S/MIME signature - I've read that it can't be done, but the proof is in the pudding, you CAN use S/MIME with Hotmail!!! ... While most digital signature> validation schemes require a plugin, S/MIME signature validation has been> embedded in email and news clients from Microsoft and Netscape for years. ... Recently Spammers illustrated this perception problem by forging PGP> signatures and getting the "green light" to bypass SpamAssassin ...
    (microsoft.public.platformsdk.security)
  • [Full-Disclosure] Re: OpenPGP (GnuPG) vs. S/MIME
    ... > I'd like to open a discussion about PGP vs. S/MIME. ... finds who have been using 2048-bit S/MIME keys without problems. ... clients without extra software. ... at the CIO/CTO level) - the big remaining issue is client support. ...
    (Full-Disclosure)
  • [Full-Disclosure] Re: OpenPGP (GnuPG) vs. S/MIME
    ... > I'd like to open a discussion about PGP vs. S/MIME. ... finds who have been using 2048-bit S/MIME keys without problems. ... clients without extra software. ... at the CIO/CTO level) - the big remaining issue is client support. ...
    (Full-Disclosure)
  • Re: OT: Email signing
    ... The previous message did not have the S/MIME ... A signature is added to a message as confirmation ... > MIME hierarchy. ... No guarantees about any and all clients being able to read ...
    (Fedora)