Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

email signing

Posted on 2012-03-22
14
Medium Priority
?
658 Views
Last Modified: 2012-08-13
Can I ask in outlook 2003 what "email digital signing" is about and what it actually does to maintain the integrity of sent / received email? Is it a free feature within outlook? How can I digitally sign an email before sending it and what is the point in doing so?

Say I send email from myself to user X, and user X decides to edit the email after they receievd it, how will signing the email help there. Would prefer management type responses if poss, jargon freindly.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
14 Comments
 
LVL 30

Accepted Solution

by:
IanTh earned 1000 total points
ID: 37751688
0
 
LVL 3

Author Comment

by:pma111
ID: 37751692
I was hoping for some discussion really. I read a couple of links and havent quite grasped it.

Does the certificate prevent tampering of the email by the recipient, or if the user did tamper with the mail after receiving it, would it show up some how?

And who needs the certificate? I.e. both the sender and receiver? Or if you were using it internally can you buy like a corporate cert?
0
 
LVL 3

Author Comment

by:pma111
ID: 37751694
Do you  buy 1 certificate per user, 1 per email, or one per exchange server?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 59

Assisted Solution

by:Chris Bottomley
Chris Bottomley earned 1000 total points
ID: 37751719
The signing is an action taken on the email by the sender.  It basically identifies what the email looked like when it left their client.  If it is received without tampering then the signature and content match and all is well.

If someone picks up on the mail in the journey and makes a change to set for example transfer amount to 1000 from 1 then the content and signature mismatch and the recipient can see that.

This is different from encryption where the content is hidden and hopefully unreadable in any meaningful timeframe.  i.e. the data can be seen by everyone and can be trusted as presented if the sig is ok./

i.e. per http://office.microsoft.com/en-us/outlook-help/secure-messages-with-a-digital-signature-HP001230539.aspx

The key a sender gives to a recipient so that the recipient can verify the sender's signature and confirm that the message was not altered. Recipients also use the public key to encrypt (lock) e-mail messages to the sender.). This information proves to the recipient that you signed the contents of the message and not an imposter, and that the contents have not been altered in transit. For additional privacy, you can also encrypt messages.

Chris
0
 
LVL 3

Author Comment

by:pma111
ID: 37751723
However, what if... after a user receives the email. They open it in Outlook, right click, edit the message, save it. And then forward it on. How will the certificate help in that case? I.e. its arrived untampered. But the recipient themselves have then tampered with it and sent it on.
0
 
LVL 59

Expert Comment

by:Chris Bottomley
ID: 37751727
Signatures are client specific so unless everyone is using the same pc and outlook install then one per person.

For larger organisations you can have your own certificate server but in most cases I believe they will be hosted by providers.

I have my own for home and used to have a work hosted one for work.  THe work one was not so good as somehow the certificate could not be seen globally .... I had to send it out seperately whereas my provider based certificate simply works.

Chris
0
 
LVL 59

Expert Comment

by:Chris Bottomley
ID: 37751733
When a recipient sends the mail on it is no longer signed ... the act of sending it removes the 'received' signature.  Of course if the (re)sender has a certificate and elects to sign the message then the next recipient will see a signed email from you BUT no validation of the sender you received it from.

Chris
0
 
LVL 3

Author Comment

by:pma111
ID: 37751734
Whats the liklehood of an email being tampered in transmition in an internal LAN? Theoretical at best?

And also...

However, what if... after a user receives the email. They open it in Outlook, right click, edit the message, save it. And then forward it on. How will the certificate help in that case? I.e. its arrived untampered. But the recipient themselves have then tampered with it and sent it on.
0
 
LVL 3

Author Comment

by:pma111
ID: 37751741
So, am I right in thinking.

If an email is sat in a users inbox. The user decides to edit the message whilst in their inbox. If they dont send it on, does it flag up as "this user has edited the text of this email from the original".

Or would it only flag it up if "this email was tampered during transmission, it isnt the original".
0
 
LVL 3

Author Comment

by:pma111
ID: 37751761
I.e. does it provide accountability to email at rest (sat in the mailbox) as well as email in transit. The issue could be a user receives the email. Then decides to edit it, so in their inbox is appears as modfiied. I wasnt sure if a digital  cert "locks" the email when in the inbox so it cant be amended. Or whether if someone does amend it somewhere the hash then doesnt match thus it flags it up in outlook as "someones messed about with this since it was received, this isnt the original".
0
 
LVL 3

Author Comment

by:pma111
ID: 37751844
And does a dig signature consider attachments as well as message txt? i.e. if the attached word document was also edited in transit would that also show as a mismatch?
0
 
LVL 59

Expert Comment

by:Chris Bottomley
ID: 37751871
As soon as you modify a signed email from elsewhere the signature is invalid.  i.e. any change to the attachments is a change to the email so the attachments are marked as invalid by virtue of the edit to the email.

Capability wise it is probably high that someone within an intranet CAN hack a message as compared to finding a useful email outside but within an organisation there is little cause in my view for signing ... unless legal requirements apply.

Chris
0
 
LVL 3

Author Comment

by:pma111
ID: 37751888
Ok Chris,

But, say an email (digitally signed) appears in my inbox,

a) How does it visually appear as either "ok -not tampered" or "tampered"? Can you provide a screenshot? Of how they will visually appear in outlook.

And my core question is,

b) In outlook 2003, if I open an email (digitally signed), right click, edit message, change the text, and save it, does it then also visually appeared as tampered, or does it remain as ok?

My concern is more email at rest (sat in a team/shared inbox) as opposed to in transmission.

I can see dig certs affect in transmission, but I wasnt sure if it "stops there" and any amendement of the email whilst in the inbox will affect the dig sig "ok not tampered"
0
 
LVL 59

Expert Comment

by:Chris Bottomley
ID: 37751972
Exact appearance will vary with application version but there will be a bar on the email to show signed or an error with the signature.  The explorer does not in my experience show this status you need the preview or mail active.

I did already say that as soon as a mail is edited in any way the signature becomes invalid.  I.e at rest or in transit, a change renders the sig invalid hence from the moment an email is saved either for retention or as part of a send.

Chris
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to import Lotus Notes Contacts into Outlook 2016, 2013, 2010 and 2007 etc. with a few manual steps. You can easily export and migrate Lotus Notes contacts into Microsoft Outlook without having to use any third party tools.
New style of hardware planning for Microsoft Exchange server.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question