During a recent visit to a company handling sensitive information, I came across a well-known email encryption solution they were using for both internal and external communications. The solution allowed automatic email signing by including the keyword ‘signemail’ in the subject line, and similarly, messages could be encrypted automatically if marked as confidential or by adding the keyword ‘encryptemail’ to the subject.
At first glance, this seamless integration seemed promising, eliminating the need for additional user steps or complex button presses. However, there exists a critical flaw in this solution (I won’t mention the product as it’s unclear if this is a product or configuration issue).
The problem lies in the precedence given to signing over encryption. If both keywords, ‘signemail’ and ‘encryptemail,’ are included in the subject line, the message will be signed only, and encryption will not be applied. Now, it’s worth noting that the encryption solution also signs the message, so signing it explicitly is unnecessary if encryption is desired.
This flaw has the potential to create significant issues in various scenarios. For instance, consider the situation where Alice sends a signed email requesting sensitive information from Bob. It is reasonable for Alice to digitally sign the request since only specific individuals can access the information. However, the request itself might not be sensitive.
Now, when Bob replies to this request with the confidential information attached, he follows company policy and marks it as confidential, adding the encryption keyword, ‘encryptemail,’ to the subject line. He assumes that the information will be automatically encrypted. Unfortunately, if Bob forgets to remove Alice’s ‘signemail’ keyword, the message will only be signed and not encrypted. As a result, this unintentional error breaches policy and sends confidential information in plain text, while Bob believes it is securely encrypted.
Moreover, this situation reveals the risk of using everyday language keywords. For instance, employing ‘sign’ as a keyword could lead to sensitive documents being sent with subjects like ‘Contract for you to sign.’
In light of this vulnerability, I strongly recommend that organizations employing such a solution thoroughly test it to identify if this interaction occurs in their system. If the flaw exists, it’s crucial to issue an advisory warning to users to prevent inadvertent breaches of confidentiality. Addressing this issue promptly will help safeguard sensitive information and maintain a robust email security environment.