-----BEGIN PGP SIGNED MESSAGE----- Hi folks, I've searched high and low for other reports regarding this and have found none. Thus, I'm filing this risk report. HISTORY: I've been using PGP v2.x for years in conjunction with many a mail program: Pine, Eudora, Netscape (v3.x Navigator, not v4.x Communicator), and Elm. In all that time, I never encountered a problem with sending or receiving encrypted mail regardless of the Mail Transport Agent (MTA) to which I've sent or received mail. Until now. PROBLEM: After initiating encrypted correspondence, my contact at Honeywell and I have come to the distinct conclusion that Microsoft Exchange has a "feature" (*gag*choke*retch*) that tries to interpret PGP encrypted messages sent in ASCII RADIX-64 format into "human" terms. Characters were stripped or merged (i.e., AE became "Æ" and so on). As a consequence, the messages failed their checksums. IMPACT: Communications are compromised by the Exchange MTA to the point that messages cannot be decrypted and must be re-sent by other means, wasting a lot of time and placing time-sensitive data at risk of becoming useless. Another possible risk would be some users eventually abandoning use of encryption for sensitive communications and sending data in the clear. (I didn't resort to that, but I'm stubborn that way.) Even attempts at using another Microsoft product -- Internet Explorer -- as a workaround failed miserably. When attempting to send encrypted_file.txt (using Apache v1.3.6 on the server side), Explorer also tried "interpreting" the PGP-encyrpted message and stripped out phrases like "=67", so the final line in the encrypted message ended up being changed from "=67Rg" to "gRg". Once again, checksum failure. SOLUTION: My personal feeling is that individuals and agencies that use PGP or GPG should use any other MTA but Microsoft Exchange. (I'll spare the gentle reader my views on Microsoft's Internet Explorer for now.) However, I recognize that some folks are stuck with Microsoft Exchange and related products as an "institutional solution," (sic) so I alternatively recommend that said users not send PGP encrypted messages in ASCII RADIX-64 format to Outlook users, but instead encrypt them as binary files and send them as attachments. Fortunately, Outlook doesn't seem to want to "interpret" attached binaries. CAVEATS: I have not sought confirmation on whether this same sort of behavior occurs with the PGP v5.x/v6.x plug-in for Exchange from Network Associates (I somehow doubt it does). While I do use PGP v6.x, I do so only to communicate via Eudora with technophobes who can't get along without a GUI. (I do not trust PGP 5.x and higher for Windows as the SWAP attack alone leaves me cold.) Additionally, I refuse to load and operate Microsoft Exchange on my Windows machine. - -Jay ( ______ )) .--- "There's always time for a good cup of coffee" ---. >===<--. C|~~| (>--- Jay D. Dyson - jdysonat_private ---<) | = |-' `--' `- Superman had Kryptonite, I have NT. Life is real. -' `-----' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBN2/vds2OVDpaKXD9AQGnPwP/bzDDcPeaUyC3raq9HQ/3R2kl6hL1L+lP 4k6rs6wYBLS/ku/lD4LbSGZHEoZFlYSu1ZrUhsWe9AFgnYDv6+cadLw2L+y8ztQO g4N/X5Cv1U7X8fbCqvJ1qTo/I2wL+j6VhDkSb9aFg4tiHi7fLWERrrQ7+2FOSfhA jEL974kOQGc= =lcP0 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:50:42 PDT