Digitally signed emails cannot be manipulated. Really?
Some of you are aware that regular emails can be easily manipulated without traces of the altered content. This is why emails are weak as evidence, unless some sort of proof can be established in regards to its contents and delivery. Too many still have no clue about it, tending to believe that what they send and receive via email will always stand as solid evidence.
What about digitally signed emails? Can these be fully trusted? Although this may surprise you, the answer is NO; digitally signed emails are so easy to manipulate as regular emails are.
To better understand this, we should first explain what are digital signatures applied to emails meant for. There’s only one reason to send digitally signed emails: to assure the recipient that it was you who really sent the email. As a matter of fact, in the sender’s Sent Messages folder of most email clients, digitally signed emails are not listed any differently than unsigned emails. Why should they? From the sender’s point of view, it is irrelevant whether an email was sent digitally signed or unsigned.
It’s not difficult to imagine a few reasons why someone would be interested in manipulating a digitally signed email received from you. What about if by doing so the digital signature’s properties could be kept intact?
Manipulating a digitally signed email fully.
That’s easy. Save any digitally signed email to disk, open it with any text editor, change whatever you want from its header and body, add or remove attached files, and save it. Open it back from your email client and there you are.
The drawback of this manipulation is that the email will not appear as digitally signed; but, surprisingly, no email client will show any alert asserting there’s a problem with that email or with its formerly applied digital signature.
Manipulating an email without removing its digital signature
Think about this possibility. You send a digitally signed email to a client of yours. As we have explained, the email will not show as digitally signed by your email client, but certainly will on the recipient’s Inbox folder. If he could modify some information in your email without affecting the digital signature, this is still being able to prove that you were the one who sent him that email, wouldn’t you be a bit worried?
Well, that’s exactly what we are talking about. There are two pieces of information of a digitally signed email that can be altered without affecting the digital signature: the date of the email and the recipient’s address. The implications of such reality exceed the scope of this post, but it’s not hard to figure them out.
Once you realize the virtual risks of digitally signed emails, you will probably think it twice before sending out again an email that someone could alter and still prove it was you who sent it.
If you are interested in starting to to communicate with greater guarantees and you are a professional, particular and/or small company, do not hesitate to consult the different rates available and register. If on the other hand, you are a company with high volumes of shipments and needs tailored to your project, please contact us.
Meet Carlos, the founder and CEO of eEvidence. With a passion for shaping the digital landscape and a deep commitment to the less favored, he’s more than a leader — he’s a force for positive change. When not at the helm, Carlos is fueled by innovation, ready to lead, inspire, and make waves in the world.