Outlook may not encrypt your email if you use S / MIME encryption
Users using Microsoft Outlook to send encrypted email via the S / MIME standard may experience information leaks due to errors in Outlook.
Users using Microsoft Outlook to send encrypted email via the S / MIME standard may experience information leaks due to errors in Outlook.
The problem is that Oulook sends emails both in encrypted and unencrypted form. An attacker who watches email traffic can read the contents of these emails. This error only occurs in certain circumstances below.
- Only encrypted email using the public key encryption standard is affected, except PGP / GPG.
- Only happens with email sent by Outlook, not received mail.
- Only occurs with Outlook email sent in plain text. The default setting of Outlook is to use HTML format.
- Occurs when the user tries to encrypt the response email for plain text. Outlook automatically changes the default HTML format to plain text when responding to such an email.
- Use Outlook with an SMTP server.
- A server jumps to Outlook client using the Microsoft Exchange structure. This limits the leak of encrypted email in the corporate network. TLS must be turned off for email communication.
- Occurs on the recipient's email client. Because email clients display email preview content, an attacker can view the email content encrypted even without an encryption key. For example, an attacker who has an email password but does not have a S / MIME key can still read the received content, and send the failed installation of Outlook.
Although only limited to these situations, this leak is still a sensitive issue. Companies often use encryption to protect sensitive information shared via email. Many bug reports, vulnerabilities also use encryption format.
S / MIME encryption may still not protect your email in Outlook
Microsoft is silent about the real impact
SEC Consult researchers discovered an encrypted email leak using S / MIME earlier this year. Another user also reported the same issue to the Microsoft forum a month later.
The researchers said they contacted Microsoft for an error and the company also corrected it yesterday, in a Tuesday patch, CVE-2017-11776. Microsoft does not disclose which versions of Outlook are affected, meaning it can affect every version.
See more:
How to encrypt email on Microsoft Outlook
You should read it
- How to encrypt email on Microsoft Outlook
- How to encrypt Gmail, Outlook and other webmail
- Encrypt email in Outlook 2007
- Introducing OpenSSH
- How to encrypt files using Gocryptfs
- How to use Bitlocker to encrypt data in computers
- How to encrypt email
- How to easily encrypt a file without a password using Cloak Encrypt
- Let's Encrypt expires root certificate, many devices and websites have problems accessing it
- iPGMail: The best way to encrypt emails on iOS
- How to encrypt files on Google Drive with Syncrypto
- How to Encrypt Files
Maybe you are interested
What is PetitPotam Attack? How to overcome PetitPotam attack The Microsoft MSERT tool can find web shells related to the Exchange Server attack campaign Many encrypted SSDs can be decoded without a password Wsreset tool of Windows 10 Store was used by hackers to bypass anti-virus software The CredSSP vulnerability in the RDP protocol affects all versions of Windows Detects two serious vulnerabilities on uTorrent that can help hackers execute malicious code or view download history on your computer