Closed
Bug 1111578
Opened 10 years ago
Closed 7 years ago
Thunderbird creates invalid signatures for Outlook 2010 on Windows XP (only)
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: nONoNonO, Unassigned)
References
Details
(Keywords: regression)
Attachments
(2 files)
Message Security Properties.png
Probably due to bug 1018259 Thunderbird 36 on Windows 7 creates messages with invalid digital S/MIME signatures for my coworkers using Outlook 2010 on Windows XP. They get an error message saying "This item cannot be displayed in the Reading Pane. Open the item to read its contents." When I try to open such an email on my virtual XP I get a popup "Cannot open this item. Your Digital ID name cannot be found by the underlying security system."
|
||
Comment 1•10 years ago
|
||
I assume you mean it works if sending w/ tb31? Could you try nightlies between the checkin dates for bug 1018259?
Keywords: regression
|
Reporter | |
Comment 2•10 years ago
|
||
Yes, it works with TB 31.0 Release. I verified that the regression was between nightlies from 2014-10-26 and 2014-11-09, which led me to think bug 1018259 was the cause. If needed I can check other versions too to make the range smaller.
|
|
Reporter | |
Comment 3•10 years ago
|
||
I first noticed this problem in Aurora starting December 9, I think...
Bug 1018259 - Thunderbird should stop using SHA-1 when signing email messages: > [...] Microsoft has announced a policy deprecating the use of SHA-1 when signing > certificates: > http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx. > Based on this decision, it has been recommended that in the near future Mozilla also > stop accepting some certificates that have been signed using SHA-1 (bug 942515). Is it known if Outlook 2010 supports signatures up to SHA-1 /only/ in which case this should be a clear cause as long as versions after Outlook 2010 supporting SHA>1 work with Thunderbird's signatures?
|
|
||
Comment 5•10 years ago
|
||
http://technet.microsoft.com/en-us/library/jj984207%28v=office.14%29.aspx table 2 lists Outlook 2010 capabilities as "Sign/Verify" for SHA-1. Onno: are we talking about encryption or just signing here?
|
|
Reporter | |
Comment 6•10 years ago
|
||
I have only tried signing. I'm not sure if I can test encrypting, because I don't know of any coworkers that have a certificate. I'll try to encrypt to myself, but I'm not sure if that's representative. In my Outlook 2010 on Windows 7 I also see my own signed messages normal, the displaying problem seems to be limited to Windows XP. Or maybe someone else can send me an encrypted email, so I can verify if/how it displays in Outlook 2010 on Windows XP.
|
|
||
Comment 7•10 years ago
|
||
Please send me a signed test mail, and i'll send you an encrypted one.
|
|
Reporter | |
Comment 8•10 years ago
|
||
(In reply to rsx11m from comment #4) > Bug 1018259 - Thunderbird should stop using SHA-1 when signing email > messages: > > [...] Microsoft has announced a policy deprecating the use of SHA-1 when signing > > certificates: > > http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx. > > Based on this decision, it has been recommended that in the near future Mozilla also > > stop accepting some certificates that have been signed using SHA-1 (bug 942515). > > Is it known if Outlook 2010 supports signatures up to SHA-1 /only/ in which > case this should be a clear cause as long as versions after Outlook 2010 > supporting SHA>1 work with Thunderbird's signatures? In the SHA1 Deprecation Policy it says: "The policy applies to Windows Vista and later, and Windows Server 2008 and later." So for Windows XP SHA1 doesn't seem to be deprecated (I know, Windows XP itself is deprecated, but my company has bought extended support for it at Microsoft and I think a lot of other companies have done that too...)
|
|
Reporter | |
Comment 9•10 years ago
|
||
On my virtual Windows XP I cannot open the message at all, but it still has Outlook 2010 SP1. Unfortunately I have problems installing SP2 there at the moment because of disk space shortage, so I'm trying to install Outlook on a different machine now...
|
||
Comment 10•10 years ago
|
||
This is expected behavior under Windows XP (which has been EOL'ed eight months ago, right?). Windows XP SP3 has only added limited support for SHA-2 hashes, and it doesn't apply to S/MIME messages, in particular. Cf. e.g. http://support.microsoft.com/kb/968730: > Windows XP SP3 implements and supports the SHA2 hashing algorithms > (SHA256, SHA384, and SHA512) in the X.509 certificate validation. The > changes in the certificate validation are meant to enable the > scenario of the SSL/TLS authentication. Other scenarios that involve > certificate validation may not work if you use certificates that are > secured by using the SHA2 algorithms if the protocols and the > applications do not support the SHA2 hashing algorithms. For example, > the S/MIME signed e-mail verification and the Authenticode signature > verification do not support the SHA2 hashing algorithms on a computer > that is running Windows XP SP3. Similarly, http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx: > All those warnings aside, the basic functionality for Outlook is a > follows. Outlook 2003, 2007, and 2010 running on Windows XP Service > Pack 3 can sign and validate certificates when that certificate > itself is SHA2 signed. Outlook 2003, 2007, and 2010 running on > Windows XP Service Pack 3 cannot validate email messages when the > message itself is SHA2 signed (regardless of the certificate used). > Outlook 2003, 2007, and 2010 running on Windows XP Service Pack 3 > cannot sign a message with SHA2; only SHA-1 and MD5 are available. > > In order to validate SHA2 messages, Windows Vista with Outlook 2003 > (or newer) is needed. In order to both sign and validate SHA2 > messages, Windows Vista or 7 with Outlook 2007 or 2010 is needed. While implementing bug 222179 would allow users to downgrade to SHA-1 again, I do wonder if Tb should really make that sort of effort to "improve" compatibility with a clearly insecure OS/mail client combo.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 7 → All
Hardware: x86 → All
|
|
Reporter | |
Comment 11•10 years ago
|
||
(In reply to Kaspar Brand from comment #10) > This is expected behavior under Windows XP (which has been EOL'ed eight > months ago, right?). Thank you for confirming this bug. My company has bought extended support from Mircosoft for Windows XP and I guess more companies have done that. On addons.mozilla.org I cannot see which Windows version my add-on users use, but maybe you look behind the scenes and see what percentage is still using Windows XP. ... > While implementing bug 222179 would allow users to downgrade to SHA-1 again, > I do wonder if Tb should really make that sort of effort to "improve" > compatibility with a clearly insecure OS/mail client combo. Well, it is preventing me from using an Nightly/Aurora version at the moment or at least preventing me from using digital signing/encrypting with it. Maybe by the time Thunderbird 38 will be released, my company has made the switch to Windows 7, but I wouldn't count on it. Fortunately I have Enigmail/OpenGPG as an alternative that still works in case I need to send private data...
|
|
Reporter | |
Comment 12•10 years ago
|
||
(In reply to Magnus Melin from comment #7) > Please send me a signed test mail, and i'll send you an encrypted one. Surprisingly Outlook 2010 can decrypt the message, but when I view the message security properties I see an error: The system is not able to verify this signature because it does not support the hashing or signing algorithm. Signed by mkmelin+mozilla@iki.fi using RSA/SHA256 at 18:22:38 16-12-2014.
|
|
Reporter | |
Comment 13•10 years ago
|
||
For signing Outlook 2010 only supports SHA1 and for encryption it supports 3DES, RC2 (128-bit), RC2 (64-bit), DES and RC2 (40-bit).
|
|
||
Comment 14•10 years ago
|
||
(In reply to Onno Ekker [:nONoNonO UTC+1] from comment #13) > For signing Outlook 2010 only supports SHA1 and for encryption it supports > 3DES, RC2 (128-bit), RC2 (64-bit), DES and RC2 (40-bit). Just to be precise: this should read "Outlook 2010 under Windows XP". On Windows 7 e.g., Outlook 2010 also offers SHA256/SHA384/SHA512 for signing, and AES (128/192/256-bit) for encryption - it's the Crypto API implementation in the OS-provided crypt32.dll which matters, not the application DLLs from Outlook.
|
|
||
Comment 15•10 years ago
|
||
Given this only affects XP I'd be hesitant to do much about it. If anything, probably just bug 222179 as a hidden pref.
Blocks: 1018259
Summary: Thunderbird creates invalid signatures for Outlook 2010 on Windows XP → Thunderbird creates invalid signatures for Outlook 2010 on Windows XP (only)
|
||
Comment 16•7 years ago
|
||
Now that Win XP is unsupported, is there anything we can do here?
|
|
||
Comment 17•7 years ago
|
||
I think we're done here.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•