SoylentNews is people
SoylentNews
Submitted via IRC for Bytram
Attention anyone using Microsoft Outlook to encrypt emails. Researchers at security outfit SEC Consult have found a bug in Redmond's software that causes encrypted messages to be sent out with their unencrypted versions attached.
You read that right: if you can intercept a network connection transferring an encrypted email, you can just read off the unencrypted copy stapled to it, if the programming blunder is triggered.
The bug is activated when Outlook users use S/MIME to encrypt messages and format their emails as plain text. When sent, the software reports the memo was delivered in an encrypted form, and it appears that way in the Sent folder – but attached to the ciphered text is an easily human-readable cleartext version of the same email. This somewhat derails the use of encryption.
"This has been a rather unusual vulnerability discovery," the SEC team said in an advisory on Tuesday.
Source: https://www.theregister.co.uk/2017/10/11/outlook_smime_bug/
(Score: 2, Funny) by Anonymous Coward on Sunday October 15 2017, @07:33AM (8 children)
I don't even have to go through a lengthy decryption process to read my email. What is so bad about this?
(Score: 2) by maxwell demon on Sunday October 15 2017, @08:21AM (2 children)
It's bad because the sender is tricked into wasting processor cycles generating an encrypted version, when he could have just sent the unencrypted mail as is. ;-)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Sunday October 15 2017, @09:49AM
That's good for the economy. Win-win.
(Score: 0) by Anonymous Coward on Sunday October 15 2017, @01:25PM
I'm sure those cycles are just used for something benign like facial recognition or dark web searches for missing children, why do you hate America?!
(Score: 2) by MostCynical on Sunday October 15 2017, @11:21AM (1 child)
Better, you get to check your decryption worked properly!
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Sunday October 15 2017, @04:03PM
Real terrorists don't use Microsoft Outlook.
(Score: 5, Interesting) by kurenai.tsubasa on Sunday October 15 2017, @04:13PM (1 child)
lol! Bit more seriously, this comment reminded me of KMail from KDE 3.5, though. Crypto just worked, including the conundrum of managing keys on receipt of a mail with a signature from an unknown key. It was beautiful.
I've always wondered if Redmond is under orders from some TLA to make crypto suck. It has native support for S/MIME, but only if you add your certificate to the Windows certificate store. Even then, you pretty much need a cert signed by the Guardians of SSL (CAs). I had to add my personal CA to Windows before it would use my cert. Also forget about trying to get it to read a good old PEM file. What is it? PKCS#7 it wants? Or something. GPG4Win has an Outlook plugin last I checked (maybe 7–8 years ago?) but it completely blows.
In either case, it breaks the UI. You have to double-click on encrypted mail to open it in its own window. It won't show in the regular pane like every other mail. Screw user-friendliness I guess. (Haha, even the malfeature in TFS needs clicking!)
Oh well, it's turned into big business for cloudy mail providers for hospitals. Thanks to Outlook completely sucking at crypto, hospitals have been going with cloud-based mail vendors that require recipients create a login for each vendor.
Just imagine all the economic opportunities that would have been lost were crypto quick and easy like KMail!
(Score: 1) by Chromium_One on Monday October 16 2017, @02:27AM
It's both better and worse than all that: Microsoft exists primarily for the sake of generating work for IT/tech workers.
Once you realize this, almost everything about them suddenly makes sense.
Any profit they make is incidental, anything which pushes forward the state of the art is entirely accidental, not planned. That thing where historically the company has acted like a complete dick about so much of everything ... it's frustration from holding themselves back from trying to do any better!
When you live in a sick society, everything you do is wrong.
(Score: 2) by DECbot on Sunday October 15 2017, @04:42PM
This is where you're wrong and ignorant. It's been sufficiently secured by passing it through the rot-13 algorithm 4096 times. Don't assume no processing is going on to decrypt plain clear text message.
cats~$ sudo chown -R us /home/base