| ||||||||||||||||||||||||||
|
Outlook Express ® misbehaves when opening GnuPG signed emailsAs of today (August 5, 2006) it seems that even the more recent versions of native Outlook Express ® still suffer a "bug", well known at least since 2001; namely, they fail to properly display the text of a message signed with GnuPG electronic signature. By native I mean: as it is after a brand new install of XP; I did not check its behaviour when proper plug-ins are added. For a shorter explanation, leave this page and follow this link, if you already know how MIME works. Contents:
1. A (not too technical) description of what is MIME and what is wrong with Outlook ExpressThe problem we are talking about really ia a defect of the program, it's not simply that the particular software for decoding the signature is not implemented. Any MUA (=Mail User Agent; the program you use for reading e-mail), even a thirty years old one, should allow to read a message with OpenPGP signature; in the worst case, it would display it with some garbage at the end. Indeed, the point is MIME (= Multipurpose Internet Mail Extensions): MIME is a set of standardized rules (RFC2045) for including attachments in e-mails (these rules are designed to be followed by programs, not by users, who may well be unaware of them). Since the original 1982 mail standard (RFC822) only allows to send plain text (more precisely, US-ASCII), the MIME standard was proposed as a backward-compatible extension, which establishes how to translate (encode, properly speaking) executables, movies, pictures, and so on and so forth, into plain text, and how to reliably embed them inside plain text emails which can then be sent as usual. Of course MIME also specifies how to extract and translate them back to their original form, when the message is received. This require each attachment to be of a given mimetype RFC2045, for example a jpeg attachment will be encoded and decoded accordingly to the declared mimetype image/jpeg. The mimetype of each attachment is declared in the body of the email. MIME is now a draft standard, namely it reached the last step before becoming a standard. Yet it is considered a standard by (nearly) everybody, since otherwise there would be no other means to send attachment than using uuencode, a hacker's trick. Now, it is clear that any message is plain text, since either it has no attachments, or the attachments are MIME-encoded (= translated to plain text). Even a thirty years old, MIME-unaware MUA would be able to display it, even if a bit (or a lot) messed up. Of course, each time a new format of files is introduced , a new mimetype must be defined; older browsers cannot be aware of new mimetypes, unless they are upgraded. In such cases, a MUA should warn the user that an attachment of unknown type arrived with a certain e-mail. The official list of knonw mimetypes is mantained by IANA, the central internet authority (the list is somewhat obsolete, since e.g. audio/x-wav is not known). It may also happen that a MUA knows the mimetype, but there's no plug-in to open it. In this case the MUA should warn the user that an attachment of known type arrived, which is impossible to open. What is of interest to us is that MIME also explains how to keep separate the text of the email from the attachments, and how to keep attachments separate from each other (they all must fit in one single plain text message), in the case that there is more than one attachment. For more than one attachment, there are "multipart" mimetypes. For example, it is quite common to send messages both in plain text and HTML format. This is achieved producing messages containing both the plain text and HTML versions as two separate attachments (each one with its own mimetype); such mails may be regarded as empty mails with two attachments. We are getting close to the point. A dedicated "multipart" attachment may exist, for example "multipart/alternative" for data represented in different formats (e.g. plain text and HTML); otherwise "multipart/mixed" allows for attachemnts of mixed types. Of course, Outlook Express knows that. For example in the case of a "multipart/alternative" message with HTML and plain text messages, Outlook Express does the right thing and, depending on the user's configuration, displays either the plain text or the HTML text: nobody never experiences problems in reading HTML mails with Outlook Express (disregarding security and privacy issues). So Outlook Express definitely knows how to handle "multipart/alternative" messages. As far as I know, it behaves correctly always but in one single case: when the mimetype is "multipart/signed". This is somewhat singular and unexpected, since the mechanism is the same as with HTML multipart messages. For a "multipart/signed" message, instead of displaying the text of the message as a displayed text/plain attachment and ignoring the attached OpenPGP signature, Outlook Express displays an empty message with two attachments. This is even more singular if one considers that the "multipart/alternative" mimetype was defined in 1996, and the "multipart/signed" in 1995. In a sense, Outlook Express behaves like if text/plain attachments were potentially dangerous from the standpoint of Internet security (only when they are inside a "multipart/signed" message, oddly enough). As far as I know, Outlook Express is the only MUA suffering from this problem (I have no "non Express" Outlook around, so I cannot check it). Outlook Express may NOT be said a non MIME-conformant MUA, according to the definition of MIME conformance (RFC2046), since the minimal requirements there are that conformant MUAs should recognize mixed, alternative and digest multipart subytpes, and treat unrecognized multipart as mixed. We only may say that Outlook Express does not understand mimetypes which were defined more than 10 years ago and which all present day's MUAs I know (including Microsoft Exchange, Thunderbird, Eudora, PC-PINE) do recognize. This "bug" is known since years. It is rather unfortunate that it has never been removed. Indeed, since Outlook Express is used by the vast majority of users worldwide, this "bug" makes rather inconvenient to use OpenPGP for everybody; whoever uses OpenPGP to sign his/her emails, knows that most Outlook Express users will not read his/her messages. Also for this reason, many users needing for the electronic signature prefer to spend their money to buy a proprietary service, instead of using freely available open source and open standards. 2. An example, and screenshots from popular MUAsHere below, you may see the true (apart email address hidden for self-defense against spam) content of a MIME-encoded, OpenPGP-signed message; below it you will see some screenshots with popular MUAs and Outlook Express. In the mail you will recognize:
Here is the message: Subject: Example From: Gherardo Piacitelli <xxxxxxxxx@yyyyyyyyyyyyyy> Reply-To: yyyyyyyy@zzzzzzzzzzzz To: Gherardo Piacitelli <xxxxxxxxxx@yyyyyyyyyyyy> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-yGFEK7iNGPPWcjySqynK" Organization: www.piacitelli.org Date: Sat, 05 Aug 2006 17:37:57 +0200 Message-Id: <0123456789@myhost> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 --=-yGFEK7iNGPPWcjySqynK Content-Type: text/plain Content-Transfer-Encoding: quoted-printable This message is an example of a multipart/signed, MIME-encoded message for the purpose of illustration of a problem with Outlook Express. Gherardo Piacitelli --=-yGFEK7iNGPPWcjySqynK Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQBE1LtVsGnAjV3TdEIRAoObAJ9cuJ7IV4zTRmR54Yaltzzz1whngQCfZNP9 TtRH7p5XtZ5mERx6YysMNk4= =IV2P -----END PGP SIGNATURE----- --=-yGFEK7iNGPPWcjySqynK-- And here is a screenshot of how this message appears when displayed with a popular open source MUA under Linux:
Here of course the mail address is not hidden; spambots do not read images. In the screenshot you may recognize the plain text message correctly displayed, and the signature indicated as valid at the bottom of the window, in the green panel. The following screenshot is taken from a popular MUA under Windows XP, Thunderbird (I imported the folder from Outlook Express to show that I checked precisely the same message):
The above MUA has no plugin to open the attached digital signature, yet it correctly implements MIME directives and properly displays the message. In the following section you will find screenshots taken with Outlook Express and instructions for viewing digitally signed messages. 3. Screenshots from Outlook Express with the same example.When receiving the same message described here above with Outlook Express, you probably will see a window like the following:
You may see that the body is blank, and there is a clip indicating that there are attachments. If you click on the clip, a new window opens:
To see the message, click on the attachment with .txt extension; you will open the text (probably with notepad), and see
Of course if you wish to reply and quote the message, you have to copy the text in the clipboard, reply to the empty message, paste the clipboard, add by and the first column of >'s... In case you wish to see the digital signature (why should you? It's just garbage text, only useful if you have a proper plug-in), you maust save it and open it with notepad. | |||||||||||||||||||||||||
|
PCTGRR66M22H501M
| ||||||||||||||||||||||||||
