2

I've recently acquired an SMIME certificate and installed it in Outlook 2013. I set my brother up to do the same. So I used his certificate to send him an encrypted mail. He had an out of office Message, so I got a reply: "Re:[My Subject Matter] I'm out of office" All in PLAINTEXT!!! If the Auto-Responder is located on the Mail-Server, how is the mail server able to read the encrypted subject matter?

My brother is using the mac.com Mail server from Apple. Does this mean Apple lets users install their certificates on the Apple Servers? That would kind of defeat the purpose of SMIME.

Improve this question
5
  • Out-of-office messaging isn't in the same workflow as user generated emails. Did you actually send emails to test smime?
    – Fiasco Labs
    Commented Aug 10, 2013 at 17:17
  • No, I didn't test. Is there a good way? I could send an encrypted email to myself, but it would be sucked by onto my client right away, and erased on my server, before I could access it via webmail.
    – yippy_yay
    Commented Aug 10, 2013 at 17:21
  • I found a way of sending without receiving mails. I will check my encryption.
    – yippy_yay
    Commented Aug 10, 2013 at 17:24
  • 2
    Interestingly I found no English language source about the simple fact that S/MIME only encrypts messages bodies. Maybe because it appears obvious that a standard for encrypting MIME data will not encrypt non-MIME data (which the email subject is, mostly). The German Wikipedia mentions it though, roughly translated: The mail body is completely encrypted and can only be read by the intended recipient. … The mail headers (including Subject) are still unencrypted and should therefore not contain sensitive information.
    – Daniel Beck
    Commented Aug 10, 2013 at 17:30
  • Yeah, that sucks. I was trying to prove a point and typed all kind of terrorist and political junk in the subject line. Now I'm on the NSA's radar for sure!!
    – yippy_yay
    Commented Aug 10, 2013 at 17:50

1 Answer 1

Reset to default
1

The short answer is:

With S/MIME, the message body is encrypted, but the message headers are not, the subject being one of the latter.

In more detail, the above is true with the exception of the headers defining the original MIME content type which are extracted and added to the body before encrypting it. The MIME content type headers are then changed to something like application/pkcs7-mime; smime-type=enveloped-data, so the receiving email client knows how to handle the message contents (by decrypting it first).

In addition to that, proposals have been made to include the message subject in the encrypted part. For example, in theory, the subject header could be included in the encrypted part. The receiving email client should then display the encrypted subject. Unfortunately, none of the popular email clients seems to support the encryption of the message subject.

Update

It seems that there is some support of S/MIME encrypted headers in mail clients now. Mail clients seem to at least extract and display encrypted subject headers (in addition to the "normal" ones), but I'm not sure if there is a mail client yet that encrypts the subject in outgoing emails.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .