-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As one of the developers of the Outlook PGP plug-in, I feel I need to
correct a misunderstanding:
Ryan Lackey wrote:
> What MS Outlook appears to do is display status information about
> signature checking on messages in the mail message frame itself,
> indistinguishable from ordinary text. The obvious attack is to send
> a user unsigned mail (it could be encrypted, to add additional
> legitimacy to the attack) with text at the beginning of the message
> simulating the output of signature checking on the recipient's
> computer. This can be done fairly convincingly -- it is hard to get
> the timestamp exactly correct, but few users check the details
> thoroughly if the message appears normal..
>
I assume you're talking about something like this:
*** PGP Signature Status: good
*** Signer: Damon Gallaty <[EMAIL PROTECTED]>
*** Signed: 6/3/99 2:38:04 PM
*** Verified: 6/7/99 3:44:28 PM
*** BEGIN PGP VERIFIED MESSAGE ***
Test
*** END PGP VERIFIED MESSAGE ***
The PGP Plug-in for Outlook does in fact produce such output when a message
is decrypted/verified. However, the user must manually select to
decrypt/verify the message before such output is produced. Before the
message is verified, it looks like this:
(note: PGP headers munged on purpose in this example)
===BEGIN PGP SIGNED MESSAGE===
Hash: SHA1
Test
===BEGIN PGP SIGNATURE===
Version: PGP 6.5
iQA/AwUBN1bLjFb/7csIIkCJEQIpfQCfe1WTry4gjQBXENr0puwhb3anB30An1GN
6TK1hMwcIIfSWx0vDlLl1R2a
=aGMs
===END PGP SIGNATURE===
The only case where someone could sneak in a "fake" signature verfication
result is if the user turns on the "Automatic decryption" option, in which
case the user wouldn't see the "before" PGP signature, only the results.
However, this option is turned off by default, so the user must make a
manual choice to sacrifice the potential security problem for convenience.
- - Damon Gallaty <[EMAIL PROTECTED]>
http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x08224089
- ----------------------------------------------------------------------
"As soon as men decide that all means are permitted to fight an evil,
then their good becomes indistinguishable from the evil that they set
out to destroy."
--Christopher Dawson, The Judgment of Nations, 1942
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5
iQA/AwUBN1wj6Fb/7csIIkCJEQKw1QCeP/YIdZ9ewTg8cTHqcKMElTQPqL4AoJWS
cPuyHPgEuiPbxxDjxTfM2OQo
=RqmO
-----END PGP SIGNATURE-----
