Digital signatures can easily be forged
September, 2002
Digital signatures can easily be forged and therefore can't be trusted in Outlook because of the same certificate chaining issue plaguing Internet Explorer, researcher Mike Benham says http://www.theregister.co.uk/content/archive/26924.html.
It appears that the same design flaw can be used against Outlook users. Briefly, an attacker would sign an untrusted cert with a trusted, intermediate one. Of course, just because the cert doing the signing is trusted, that's no reason why its offspring should be. Unfortunately, neither IE nor Outlook check basic constraints, and for this reason the end user is never warned that the certificate chain is questionable.
"As it stands, there is virtually no difference between signed and unsigned email in Outlook. Unless carefully inspected, signed email in Outlook is essentially meaningless. This also applies to any signed email received over the past 5+ years," Benham says.
Fortunately for Reflex MailSafe users this security plug-in for MS Outlook bypasses the vulnerability. Alexei Shamov one of Reflex's senior developers explains, "MailSafe uses it's own certificate trust verification mechanism which is implemented in accordance with RFC 2459. We do check the basic constrains certificate extension, and as a result Reflex MailSafe is free from the described vulnerability." If you would like to know more about Reflex MailSafe please go to our products section here.
It appears that the same design flaw can be used against Outlook users. Briefly, an attacker would sign an untrusted cert with a trusted, intermediate one. Of course, just because the cert doing the signing is trusted, that's no reason why its offspring should be. Unfortunately, neither IE nor Outlook check basic constraints, and for this reason the end user is never warned that the certificate chain is questionable.
"As it stands, there is virtually no difference between signed and unsigned email in Outlook. Unless carefully inspected, signed email in Outlook is essentially meaningless. This also applies to any signed email received over the past 5+ years," Benham says.
Fortunately for Reflex MailSafe users this security plug-in for MS Outlook bypasses the vulnerability. Alexei Shamov one of Reflex's senior developers explains, "MailSafe uses it's own certificate trust verification mechanism which is implemented in accordance with RFC 2459. We do check the basic constrains certificate extension, and as a result Reflex MailSafe is free from the described vulnerability." If you would like to know more about Reflex MailSafe please go to our products section here.
