[9169] in bugtraq
Re: Outlook 98 Security "Feature"
daemon@ATHENA.MIT.EDU (Jason Witty)
Fri Jan 22 12:59:24 1999
Date: Thu, 21 Jan 1999 16:23:58 -0600
Reply-To: Jason Witty <jason@WITTYS.COM>
From: Jason Witty <jason@WITTYS.COM>
To: BUGTRAQ@NETSPACE.ORG
I have noticed this same type of behavior using Outlook '98 and a
Verisign Personal Certificate. If, however, you do the following, it
will encrypt the reply:
1) Ensure the recipient is listed in your local contacts folder, and
that you have their public key (certificate).
2) When replying, erase the TO: field.
3) Click on the TO: button and change the "Show names from the:" box to
read "Contacts".
4) Select that person's alias form the local contacts folder, and click
the "To->" button.
5) Send the message
I realize this is highly "cludgy", but it seems to work. Hopefully
Micro$oft really IS working on a fix..........
Jason
Paul Leach wrote:
>
> > -----Original Message-----
> > From: Todd Beebe [mailto:todd@INTERNETWORKING.COM]
> > Sent: Saturday, January 16, 1999 6:57 PM
> > To: BUGTRAQ@NETSPACE.ORG
> > Subject: Outlook 98 Security "Feature"
> >
> >
> > The basic problem is "replying to an encrypted email fails".
> > Heres what I
> > initially sent to Microsoft on Sept. 11, 1998
> >
> > ***Start incident to Microsoft***
> >
> > After successfully receiving incoming email which is signed and
> > encrypted(Using Verisign Certificates on both ends), the
> > following error
> > dialog box appears when trying to send the reply(default
> > action is to both
> > sign/encrypt outbound email):
> >
> > ERROR: Non-Secure Recipients
> >
> > None of the recipients can process an encrypted message.
> > You can either
> > proceed with an unencypted message or cancel the operation.
> >
> > [Don't Encrypt Message] [Cancel]
> >
> > ***End incident to Microsoft***
> >
> > I don't think an encrypted email that I receive, should be
> > unencrypted when
> > I reply, and require me to Forward the reply to any and all
> > recipients.
> > Shouldn't the default be to encrypt all replies to encrypted email?
>
> Since the error message from Outlook means that it can't find the keys of
> any of the recipients in order to encrypt the reply, exactly _how_ do you
> expect it to do so?
>
> It appears that Outlook indeed wants to encrypt the reply, as you desire,
> and can't. So, there may be a bug here, but I seriously doubt that it is
> what you claim.
>
> Paul
