Skip to main content

Flaw in email security means signed mails cannot be encrypted

I was at a company the other day that uses a well-known email encryption solution as they have some very sensitive information that they need to send both internally and externally. As is common for these solutions, it is possible to automatically sign the email by putting a keyword in the subject line, such as 'signemail'. Similarly, the mail will be encrypted automatically if the confidential flag is set or a keyword, such as 'encryptemail' is added to the subject.

So far, so good. There are no messy button presses or extra steps for the user. However, there is a flaw with the solution. (I should point out that at this moment it is unclear if it is a product problem or a configuration problem, hence my not mentioning the product.)

The issue is that signing the message appears to take precedence over encryption. So, if you add both keywords to the subject then the message will only be signed and not encrypted. Now the encryption solution does also sign the message, so if you want it encrypted then you don't need to specifically sign it as well.

So is this really a problem or am I just making a fuss? Well, I can envisage several situations when it would be a problem. The most likely is probably replying to a signed message with confidential data. Let's say that Alice puts in a request for sensitive information from Bob via a signed email - only certain people can have access to the information so it is reasonable to expect Alice to digitally sign the request, but the request is not sensitive in itself.

Now, if Bob replies to that request with the sensitive information attached he will follow policy and mark it as confidential and add the encryption keyword, 'encryptemail', to the subject line. He will now assume that the information will automatically be encrypted. However, if he doesn't remove Alice's 'signemail' keyword it will just be signed and not encrypted. This then violates the policy and sends confidential information in plaintext while the user believes that it has been encrypted.

It also highlights that you shouldn't use a keyword that might be used as part of everyday language. For example, don't use the keyword 'sign' as someone could send a sensitive document with a subject something like 'Contract for you to sign'.

I suggest that everyone using this type of solution should test it to see if this happens on their system. If it does, you will, at the least, need to publish an advisory warning to your users.

Comments

  1. I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commentters here!Keep writing.Thanks.

    pki certificate.

    ReplyDelete

Post a Comment

Popular Posts

You say it's 'Security Best Practice' - prove it!

Over the last few weeks I have had many conversations and even attended presentations where people talk about 'Security Best Practices' and how we should all follow them. However, 'Best Practice' is just another way of saying 'What everyone else does!' OK, so if everyone else does it and it's the right thing to do, you should be able to prove it. The trouble is that nobody ever measures best practice - why would you? If everyone's doing it, it must be right.

Well, I don't agree with this sentiment. Don't get me wrong, many of the so-called best practices are good for most organisations, but blindly following them without thought for your specific business could cause as many problems as you solve. I see best practice like buying an off-the-peg suit - it will fit most people acceptably well if they are a fairly 'normal' size and shape. However, it will never fit as well as a tailored suit and isn't an option for those of us who are ou…

Coventry Building Society Grid Card

Coventry Building Society have recently introduced the Grid Card as a simple form of 2-factor authentication. It replaces memorable words in the login process. Now the idea is that you require something you know (i.e. your password) and something you have (i.e. the Grid Card) to log in - 2 things = 2 factors. For more about authentication see this post.

How does it work? Very simply is the answer. During the log in process, you will be asked to enter the digits at 3 co-ordinates. For example: c3, d2 and j5 would mean that you enter 5, 6 and 3 (this is the example Coventry give). Is this better than a secret word? Yes, is the short answer. How many people will choose a memorable word that someone close to them could guess? Remember, that this isn't a password as such, it is expected to be a word and a word that means something to the user. The problem is that users cannot remember lots of passwords, so remembering two would be difficult. Also, having two passwords isn't really…

Security is a mindset not a technology

I often get asked what I look for when hiring security professionals and my answer is usually that I want the right attitude first and foremost - knowledge is easy to gain and those that just collect pieces of paper should maybe think about gaining experience rather than yet more acronyms. However, it's difficult to get someone to change their mindset, so the right attitude is very important. But what is the right attitude?


Firstly, security professionals differ from developers and IT engineers in their outlook and approach, so shouldn't be lumped in with them, in my opinion. The mindset of a security professional is constantly thinking about what could go wrong (something that tends to spill over into my personal life as well, much to the annoyance of my wife). Contrast this with the mindset of a developer who is being measured on their delivery of new features. Most developers, or IT engineers, are looking at whether what they have delivered satisfies the requirements from t…