07 September 2016

Why Did a Signed OpenPGP Email Fail a Signature Test at the Recipient's End?

One of our customers signed an email message with the Encryptomatic OpenPGP add-in for MS Outlook, but noticed that the recipient was unable to verify the message's digital signature, which was reported as invalid. They contacted our support team to report a bug.
On closer examination, our technician discovered that the message was being altered at the email server by MsgTag, a service that inserts web beacons into messages so that the sender knows it has been read.
This is essentially the sort of man-in-the-middle attacks that PGP signing a message is supposed to signal. If a message has been altered in transit, then a OpenPGP signed message will fail a signature test.
You can learn more about Web Beacons here.
If you are a user of #MsOutlook, download a copy of Encryptomatic OpenPGP and start protecting your email messages.