Results 1 to 10 of 10
  1. #1
    5 Star Lounger
    Join Date
    Mar 2002
    Location
    Buenos Aires, Argentina
    Posts
    877
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Uneditable Mail (OL 2000/2003)

    Mods, feel free to move this post to wherever you feel it belongs.

    We need to send to the organizations we work with an e-mail with a certain notification. This notification has a list of files they are supposed to send us. We want to make sure no one can modify this list. We thought of different alternatives:

    a) Attaching the list in a suitable text file, computing a hash of this file and sending the hash value in the e-mail so if they modify the text file they won't be able to generate the same hash.
    [img]/forums/images/smilies/cool.gif[/img] Sending a digitally signed e-mail containing the list either plainly typed or within an attached file.
    c) A combination of a) and [img]/forums/images/smilies/cool.gif[/img].

    The problems we fear might arise, respectively, are:
    a) That someone might tamper with the attachment, generate the modified file's hash value and modify the hash value stated in the e-mail. I know that Outlook mails properties (File | Properties) show if and when the message has been modified (e.g. via Edit | Modify). But I don't know if all mail clients are so trustworthy.
    [img]/forums/images/smilies/cool.gif[/img] This is my short experience with signed mail: Outlook will show if the message has been tampered with in any form. That is, if it's been manually edited of modified by some program (e.g.: Anti Virus software, Anti-Spam software, etc). What I don't know is, again, if all mail clients are so trustworthy / compatible with digital signatures.

    I also thought of an alternative involving PGP, but if possible I'd prefer not to force recipients to have PGP installed. It's an alternative I would consider, though.

    What do you think? Any suggestions?
    <img src=/w3timages/blue3line.gif width=33% height=2>
    <img src=/S/flags/Argentina.gif border=0 alt=Argentina width=30 height=18> <big><font color=4682b4><font face="Comic Sans MS">Diegol</font face=comic></font color=4682b4> </big>

  2. #2
    Plutonium Lounger Leif's Avatar
    Join Date
    Dec 2000
    Location
    U.K.
    Posts
    14,010
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Uneditable Mail (OL 2000/2003)

    Why not just send them a link to a (secure) page on your website. That would need to be hacked into to change the list.

  3. #3
    5 Star Lounger
    Join Date
    Mar 2002
    Location
    Buenos Aires, Argentina
    Posts
    877
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Uneditable Mail (OL 2000/2003)

    Hi Leif,

    It's a good alternative (hadn't thought of that), but if possible we'd like the system to be more transparent. That is, our recipients have no guarantee that we will not change the list in the web site without notice. As a rather formal notification, we'd want something both parties can rely on. As if it were a printed notification, but in electronic format.

    Thanks for the suggestion
    <img src=/w3timages/blue3line.gif width=33% height=2>
    <img src=/S/flags/Argentina.gif border=0 alt=Argentina width=30 height=18> <big><font color=4682b4><font face="Comic Sans MS">Diegol</font face=comic></font color=4682b4> </big>

  4. #4
    Super Moderator
    Join Date
    Dec 2000
    Location
    Renton, Washington, USA
    Posts
    12,560
    Thanks
    0
    Thanked 4 Times in 4 Posts

    Re: Uneditable Mail (OL 2000/2003)

    You could send a "Screen shot" image of the files listing, then one would have to edit the image and not just a few letters of text.

    Now running HP Pavilion a6528p, with Win7 64 Bit OS.

  5. #5
    Plutonium Lounger Leif's Avatar
    Join Date
    Dec 2000
    Location
    U.K.
    Posts
    14,010
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Uneditable Mail (OL 2000/2003)

    You have no guarantee your recipients are going to receive your emails, let alone read them!

    I don't quite follow the need for guarantees, and it may be difficult for you to explain the setup that you require. I can still see pitfalls whatever route you take. Is there a difference between you updating the list on a web-page without telling them, and you emailing them notification which they don't receive?

  6. #6
    Uranium Lounger
    Join Date
    Dec 2000
    Location
    Salt Lake City, Utah, USA
    Posts
    9,508
    Thanks
    0
    Thanked 6 Times in 6 Posts

    Re: Uneditable Mail (OL 2000/2003)

    Along the lines of DaveA's suggestion, could you send a document with hyperlinks which is password protected to open?

    In the US documents which contain personal medical information must by law be kept very secure; for such information my company uses this service:
    http://www.zixcorp.com

    The product my company uses basically sends a non-secure e-mail requesting the recipient to log in to a secure site and get the 'real' message from a web-based mail system. I have no idea how much it costs, I assume it's not cheap, but I expect that my company reviewed the market and found it to be the best combination of price and security. You'll see a lot of well-known US health, health insurance, and banking companies listed in the "SuccessStories" section/applet.
    -John ... I float in liquid gardens
    UTC -7ąDS

  7. #7
    5 Star Lounger
    Join Date
    Mar 2002
    Location
    Buenos Aires, Argentina
    Posts
    877
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Uneditable Mail (OL 2000/2003)

    Hi Dave,

    I'd thought about that, but the list is about 20 pages long and the only way I know to convert such a long text file is via IrfanView, saving the data in the TXT format, opening the TXT with IView, and saving as an image format (JPG for example).
    It would be difficult to modify the image, but it can be done, and I wanted the procedure to be as trustworthy as possible, so I decided to ask for your advice <img src=/S/smile.gif border=0 alt=smile width=15 height=15>
    I had also thought of PDFing the image, so the recipient wouldn't be able to alter text very easily (not even if they got to know/crack the PDF password). But IView crams the whole list in a single JPG that gets printed in a single PDF page, which results in the output PDF being illegible.

    In any case, as time passes by and I get a taste of all your ideas, my paranoia tends to cease <img src=/S/grin.gif border=0 alt=grin width=15 height=15>
    <img src=/w3timages/blue3line.gif width=33% height=2>
    <img src=/S/flags/Argentina.gif border=0 alt=Argentina width=30 height=18> <big><font color=4682b4><font face="Comic Sans MS">Diegol</font face=comic></font color=4682b4> </big>

  8. #8
    Super Moderator
    Join Date
    Dec 2000
    Location
    Renton, Washington, USA
    Posts
    12,560
    Thanks
    0
    Thanked 4 Times in 4 Posts

    Re: Uneditable Mail (OL 2000/2003)

    Sounds like you need to invest in to a GOOD well protected PDF program such as Adobe Acrobat. The investment will save you a lot work and headaches.

    Now running HP Pavilion a6528p, with Win7 64 Bit OS.

  9. #9
    5 Star Lounger
    Join Date
    Mar 2002
    Location
    Buenos Aires, Argentina
    Posts
    877
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Uneditable Mail (OL 2000/2003)

    <hr>You have no guarantee your recipients are going to receive your emails, let alone read them!<hr>
    You make a point there. As things are now, it seems we'll try to make do with something in the short run until we can implement a user-based site (perhaps a not user-based site).
    <hr>I can still see pitfalls whatever route you take. Is there a difference between you updating the list on a web-page without telling them, and you emailing them notification which they don't receive?<hr>
    Several organizations are to send us certain attachments periodically and on schedule.
    When we receive their attachment, we want to send them a receipt. We also want to send them a warning of which files we have not received in due time. I know the whole scheme isn't totally reliable as it's internet-based, but this is the way it was designed a while ago. The reception of the attachments is somewhat critical, as it triggers payments to the organizations. That's why I wanted to make as sure as possible that someone couldn't alter the contents of the receipts, in case a recepient might try to tamper with mail contents to take legal actions. In a nutshell, we warn them we have not received a certain attachment, they alter the mail contents so it reads we have received the purported attachment and they sue us for not having payed them.

    Our idea is, however, to move to a web-based file-upload system.
    <img src=/w3timages/blue3line.gif width=33% height=2>
    <img src=/S/flags/Argentina.gif border=0 alt=Argentina width=30 height=18> <big><font color=4682b4><font face="Comic Sans MS">Diegol</font face=comic></font color=4682b4> </big>

  10. #10
    5 Star Lounger
    Join Date
    Mar 2002
    Location
    Buenos Aires, Argentina
    Posts
    877
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Uneditable Mail (OL 2000/2003)

    <hr>In the US documents which contain personal medical information must by law be kept very secure<hr>
    Good to know that. Our traffic does not include such information. AFAIK, in Argentina there is not such a well-establish body of legislation (there's a kind of legal gap). Over the last years there have been some improvements on digital signatures, and at this very moment legislators seem to be working on it. Hopefully things will be tidier some time from now.
    <img src=/w3timages/blue3line.gif width=33% height=2>
    <img src=/S/flags/Argentina.gif border=0 alt=Argentina width=30 height=18> <big><font color=4682b4><font face="Comic Sans MS">Diegol</font face=comic></font color=4682b4> </big>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •