I was a tad surprised by the Financial Ombudsman service, as they tried replying to me, but sent a very long email on setting up a pass phrase with a link to their site so they could send me secure emails. It was a long and complicated email, and I had not spotted the bit about PGP right at the end to be honest. They fail in making the email so long to be honest, but are clearly trying to cater for people that have no clue on PGP first, hence fooling me slightly. I wonder if it can be a tad more concise and still be effective.
I replied saying basically that my PGP is on key servers, the key ID, and attaching my public key to the email. That was over two weeks ago (well, we had Christmas I guess).
Today I get an encrypted and signed email! This is where it gets slightly amusing as the email says :-
I've heard back from our IT department today who have said they're unable to open the attachment in the format it's been sent.
Well, the attachment was my PGP public key which, err, they are now using to send me the encrypted email.
After some email exchanges it is becoming apparent that the people you are emailing with don't see the PGP, they see plain text that says it was signed, for example. They get a tad confused by attachments it seems. They do not realise they are sending signed and encrypted emails. When I said "well done" for using my key, they are confused... I tried to explain.
So second slight failing is that they could do with a bit more training for the people that use the system.
However, top marks for a system that considers the financial information being exchanged by email to be sensitive and making use of existing encryption systems like PGP (and possibly some others by the look of it, hence the long initial email). This is a good sign...
Interesting that they made no attempt to verify that the key presented belongs to the human who has an account with them. I suspect it would have been easy to forge an email from you to them saying "Here's my key" and for them to then send that person personal info about you, confident that it's safe because it's encrypted. Especially if they don't actually see the working and hence have no appreciation of it. In fact it could be easy for a third-party to send an updated key and their system will possibly take it on. Unless they initially verify your key, and then use that as a basis for chaining new keys on when they change, they're still open to abuse, perhaps more so under the false illusion of safety because "military grade encryption".ReplyDelete
It is highly likely they are using the Symantec PGP gateway which handles all this. I have used this in the past, and as you say it handles everything transparently so the users at the company end don't see anything about the encryption in most cases because the internal traffic is deamed to be "secure." It could be argued that the system is acting as a man in the middle because it is decrypting the email before it reaches the destination and so the user never deals with encryption etc. My argument for this is it causes security issues because the users just send emails as normal with the expectation that some magic down the line will handle the encryption for them. IIRC the settings in the server are set such that they will contact the public key servers and if the email addresses match it encrypts to that key.ReplyDelete
In one of their newsletters they stated they use Symantec's PGP Universal product, which sits at the network level so my money would be on the users not seeing it at all.ReplyDelete
Actually, automated responses from Andrews & Arnold are sent to customers using the signing key for a different address, e.g. messages from email@example.com are signed by the key for firstname.lastname@example.org - I did raise this in correspondence with Accounts and they promised to look into it, but it was never fixed.ReplyDelete
I was sure we fixed that! I'll have to have another look.Delete
They do use Symantec. Rather unfortunately they add their DKIM signature BEFORE Symantec mess with it, so while their plain text mails have a good DKIM, their encrypted mails saysReplyDelete
Invalid (E-Mail was modified)
So getting their mail is fine, however I now want to reply to them. They don't appear to publish their own Public Key...I see somebody tried hard to get it:
But I still don't see it (nor should I trust a key I found in a random post)
This site seems to have the "internal doc" on how the ombudsman tells it's staffReplyDelete
(sadly does not seem to help ...all the keys listed at keys.financial-ombudsman.org.uk are mine...still can't find the ombudsmans key