Re: Outlook 98 Security "Feature"

From: Craig Anderson (craigat_private)
Date: Wed Jan 20 1999 - 21:51:34 PST

Next message: D. J. Bernstein: "NetBSD Security Advisory 1999-001: select(2)/accept(2) race"

Previous message: Luigi Pugnetti: "Re: NetBSD Security Advisory 1999-001: select(2)/accept(2)"
Maybe in reply to: Todd Beebe: "Outlook 98 Security "Feature""
Next in thread: Jamie: "Re: Outlook 98 Security "Feature""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 16 Jan 1999, Todd Beebe wrote:

<--( SNIP )-->

> I don't think an encrypted email that I receive, should be unencrypted when
> I reply, and require me to Forward the reply to any and all recipients.
> Shouldn't the default be to encrypt all replies to encrypted email?
>
> Is this the standard with other email packages using encryption?
>

<--( SNIP )-->

  That's a ridiculous behavior.  If an e-mail is sent out encrypted to the
recipient, the reply to the sender should definitely be automatically
encrypted.  Then again, whoever thinks M$ knows how to handle appropriate
behaviors when it comes to encryption/authentication should go read a few
L0pht advisories.

  Netscape Messanger supports a somewhat correct behavior for
handling replies to encrypted e-mails ( using S/MIME and VeriSign digital
IDs ) :

  If you reply to an e-mail that the sender encrypted with your 'e-mail
certificate' ( as Netscape calls it, or digital ID as VeriSign calls it )
then the reply is automatically encrypted with the sender's 'e-mail
certificate'.

  However, you can toggle this function.  When you receive an encrypted
e-mail and reply back to the sender you can uncheck the 'Encrypted'
checkbox under 'Message Sending Options'.   This will send the reply back
to the sender unencrypted.

  You can click on the 'Security' icon and then click on 'Messanger'.
Under 'Sending Signed/Encrypted Mail' you can uncheck or check the box
'Encrypt mail messages, when it is possible' to have Messanger
automatically encrypt outgoing messages that are for recipients whose
'e-mail certificate' you have downloaded.

  So, providing you have the digital ID of the sender who has sent you an
encrypted e-mail, then yes the default way of handling this should always
be to encrypt it with the sender's digital ID unless the user turns it
off.

  A default behavior you want to be careful about ( if you're concerned )
is the S/MIME ciphers that are enabled by default under Netscape.   In
some cases the S/MIME cipher used in a particular encrypted communication
may be much lower than you would want, so be careful.  You can set the
S/MIME ciphers by clicking on the 'Security' icon, click on 'Messanger'
and then clicking on the button 'Select S/MIME Ciphers'.  Then it's up to
you from there.

-- Craig

----------------((  1   9   9   9   ))-----------------

    _\/  \/_
     _\/\/_         Craig Anderson
 _\_\_\/\/_/_/_     craigat_private
  / /_/\/\_\ \      Dominus Reconditus
     _/\/\_         Voice: 503.671.1262
     /\  /\

     0x47 0x6f 0x74 0x20 0x72 0x6f 0x6f 0x74 0x3f

----------------((   E    O    T   ))-----------------

Next message: D. J. Bernstein: "NetBSD Security Advisory 1999-001: select(2)/accept(2) race"
Previous message: Luigi Pugnetti: "Re: NetBSD Security Advisory 1999-001: select(2)/accept(2)"
Maybe in reply to: Todd Beebe: "Outlook 98 Security "Feature""
Next in thread: Jamie: "Re: Outlook 98 Security "Feature""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:30 PDT