The Recent Kerfluffle over S/MIME and PGP
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Display list of topics
Sarah's Resources You Should See
Sarah's Blog Buy Sarah's Pictures
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2018-05-18 09:55 by Karl Denninger
in Technology , 82 references Ignore this thread
The Recent Kerfluffle over S/MIME and PGP
[Comments enabled]

Ah, the idiots who write code are at it again.

This time it's pretty bad too.  Apparently nobody thought about the problem of malformed clients accessing HTML components in an email that happens to be encrypted.

That could be trouble.  You see, HTML can post things as well as read them, and along with specific sorts of HTML markup and similar very evil things can be done -- including sending the contents of an encrypted mail outbound.

The problem is that MIME allows for multiple parts, so if you can steal an encrypted message you can then send it as a piece of a new one, which the client will dutifully (as it has the key!) decrypt it for you and then send it out to the bad guy.

Ain't that nice?

It doesn't work if it's a text email, because there are no multi-part pieces in such a message.

Of course the obvious is don't allow HTML components and methods in an encrypted message, and if a sender tries that then don't act on them at all on the receiving end.  Gee, nobody thought of that one eh?  smiley

The Thunderbird folks already have figured out how to fix it (duh!) but the bigger problem is going to be Outlook, which has support for this (albeit broken in other ways, but people do use it) and which has several older incantations laying around that are probably well outside of Microsoft's willingness to support and update.  If you're using one of those you're probably screwed.

Exploiting this requires stealing some of the ciphered email you want to decode, so you have to break into the target's machine first.  But the entire point of PGP or S/MIME is to make stealing the recipient's computer worthless.

Oops.

Go to responses (registration required to post)
 

 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
User Info The Recent Kerfluffle over S/MIME and PGP in forum [Market-Ticker]
Whitehat
Posts: 438
Incept: 2017-06-27

The People's Republic of New York
Report This As A Bad Post Add To Your Ignored User List
back in the late 90's there was a concern with that time period's versions of Outlook that prompted both an update if you manually retrieved them from Microsoft as was the method then and a general advisory to deselect the option to run web or active content in emails. it appears as if this became the default in later versions as such content is not displayed unless the sender or sender's domain is marked as trusted. please correct me if i am wrong. does this mitigate the problem?

----------
There are two ways to be rich: One is by acquiring much, and the other is by desiring little.
snow, seasons, distance and dirt roads: SSDD
"Be not deceived; God is not mocked; for whatsoever a man soweth, that shall he also reap" (Gal. 6:7)
Tickerguy
Posts: 152887
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
I would ASSUME yes, but whether it's truly effective I do not know.

----------
Winding it down.
Whitehat
Posts: 438
Incept: 2017-06-27

The People's Republic of New York
Report This As A Bad Post Add To Your Ignored User List
thanks

----------
There are two ways to be rich: One is by acquiring much, and the other is by desiring little.
snow, seasons, distance and dirt roads: SSDD
"Be not deceived; God is not mocked; for whatsoever a man soweth, that shall he also reap" (Gal. 6:7)
Tickerguy
Posts: 152887
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Yeah, I avoid Outlook like the clap. Never had the latter, but the few times I've had to **** with it I think I would have rather gotten the clap instead.

----------
Winding it down.
Login Register Top Blog Top Blog Topics FAQ