Coffeehouse Thread

7 posts

Fun with Hotmail and Email Security

Back to Forum: Coffeehouse
  • User profile image
    mnoble

    As a clever test of skill, see if you can figure out a way to send S/MIME signed email from a Hotmail account.

    I'll be happy to judge success or failure - just send an S/MIME signed email (with your Channel9 alias) to my Hotmail account (listed in my profile) and you'll win a prize* (which will be delivered via S/MIME encrypted email)!

    Next week I'll post a list of those bored/smart/cool enough to figure it out. Tongue Out

    Have fun!

    *Note: Prize is worthless. Smiley

  • User profile image
    Maurits

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    It's trivial to send a PGP- or GPG-signed message from anywhere - in
    fact I can even sign my post
    -----BEGIN PGP SIGNATURE-----
    Comment: pub key http://matthew.vaneerde.com/pgp-public-key.asc

    iD8DBQFBSHwNUQQr0VWaglwRApEWAKCDkLUV0BNaKezVC45VMJU+NQ5ijwCfbHK6
    lpgiDXhzeHdERnQXAMBaBs8=
    =1s4d
    -----END PGP SIGNATURE-----

  • User profile image
    mnoble

    True.  But users must have PGP to verify it - otherwise it's just an ugly blob of text - even more ugly if you actually attach your public key.

    A lot of people just assume that all PGP signatures they see are valid.  In fact, when several Spam filters lazily assumed valididty, the Spammers caught on fast.

    The advantage of S/MIME is that it hides the guts of the keys and signatures from the user and validates each email automatically before it is opened.  This means that even a novice user will be notified if someone or something has tampered with the email - or if the signature is simply made up (as in the case of invalid Spam signatures).

    And then there is the fact that people can give trust to any old person they like - or even trust non-existant users with PGP/GPG.  Trust systems like those used by Thawte (for example) require that multiple trusted individuals verify an official photo ID (assuming the person wants to have their digital ID validated).

    Every Outlook, Outlook Express, Netscape Messenger, Mozilla Thunderbird, and Mac Mail user automatically verifies S/MIME signatures when viewed.  It's doubtful that PGP/GPG will ever attain that kind of reach.

    In fact, I wonder why MS security bulletins aren't S/MIME signed (they are PGP signed, and I'm not suggesting they orphan those users - but it's possible to sign with both PGP and S/MIME).

  • User profile image
    Maurits

    mnoble wrote:

    In fact, I wonder why MS security bulletins aren't S/MIME signed (they are PGP signed, and I'm not suggesting they orphan those users - but it's possible to sign with both PGP and S/MIME).


    Maybe so third-party email deliverers can send the security bulletins?  If I were Microsoft, I'd be loath to give my private S/MIME certificate out to the email deliverers, but I'd be fine with PGP-signing some content and giving the signed content out.

    The Organization for Internet Safety - to which Microsoft belongs - mandates digitally signing security bulletins
    http://www.oisafety.org/process.html#_Toc42474373
    so S/MIME or PGP are both natural choices.  I would guess PGP was just easier to implement.  (But just try finding Microsoft's public PGP key on their site!)

  • User profile image
    mnoble

    Maurits wrote:

    Maybe so third-party email deliverers can send the security bulletins?  If I were Microsoft, I'd be loath to give my private S/MIME certificate out to the email deliverers, but I'd be fine with PGP-signing some content and giving the signed content out.


    If I were Microsoft, I'd set up an S/MIME gateway.  All email from third-party email deliverers approved by the company would pass through it and have the digital signature applied before delivery.

    Or, the third-party email deliverers could have their own S/MIME gateway (or even sign each message as it is generated) and then Microsoft could trust the certificate in question.

    It'd be more difficult than just slapping a PGP signature on it.  And I'd bet that more people would validate an S/MIME signature than a PGP/GPG signature.

  • User profile image
    Maurits

    Kudos to the MSRC... their latest security bulletin includes a direct link to their PGP key on www.microsoft.com.  And for extra bonus points, they pointed to the https: version!

    Darn... now I can't make a secure@microsoft.com key for myself, post it to the key servers, sign some phony security bulletins, and distribute them to the general public... Wink

  • User profile image
    Maurits

    Oh, and the MSRC does have an S/MIME certificate through Verisign for those who prefer S/MIME to PGP.
    If you want to download the MSRC's S/MIME certificate, here's what you do
    1) Go the the MSRC's PGP key page (ah, the irony...)
    2) Click on the Verisign link

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.