Samsung Email doesn't not respect S/MIME algorithm selection.

dannmartens · ‎18-05-2020

In the security options, I have selected the "SHA512" algorithm for signing S/MIME, but the receiver always gets a signature calculated with "SHA1." It seems that the selection of another algorithm has no effect.

Apart from this, it is important to select a stronger hash as some e-mail services reject low-grade algorithms such as "SHA1," and as a result, such a signature is no longer considered to be trustworthy.

What is the best place to raise issues for the "Samsung Email" app?

Anonymous User · ‎20-05-2020

@dannmartens ,

It can only use SHA512 if both yours and the recipients certificate supports it.
- Did you confirm this already?

-- Hans

dannmartens · ‎20-05-2020

Actually, the recipient does. I sent the e-mail to myself. I use SHA512 as my default signing algorithm.

The mail which I receive states that the SHA1 algorithm has been used.

What do you mean with "if the recipients certificate supports it?" Algorithm support only depends on the client and the platform it runs on, AFAIK.

Anonymous User · ‎21-05-2020

@dannmartens ,

Developers only consider a bug report when it comes with either exact steps to reproduce and confirm in the lab, or with multiple Me too postings saying something doesn't work.
- Both are so far missing in this case (*)

Logic dictates there's a SHA-1 email certificate installed on your phone in order to create and send SHA-1 signed email. That certificate has to be revoked, then replaced and validated with a SHA-2 certificate from a trusted issuer:

The recipient needs a chain of trust from (the public part of) your certificate, via any and all intermediate certificates, to a root Certification Authority that's trusted on the recipients device - for a digital email signature to be worth anything in the first place.

Recipients may be able to tick a checkbox saying 'Always trust this certificate', for practical reasons. This 'works' with people who know you, but does not add any real trust if the email certificate is used for business purposes.

Regarding your concerns regarding encryption strenght: I'm not aware of any email server for common users that refuse to handle plain text mail. Some may require TLS or SSL for login and transport, but that's a different story.

(*) I don't use email for anything important. It would cost me €'s and hours with a nerdy friend to try reproduce the issue.
- Anyone?

-- Hans

dannmartens · ‎22-05-2020

It's obvious from your reply you don't understand how certificates work, or how S/MIME works. I have reported your account for abusive behaviour.

Anonymous User · ‎24-05-2020

Let me know where I'm wrong? - I'm happy to learn.

AntS · ‎25-05-2020

Hi guys,

We should be aiming to be educating and learning from one another.

@dannmartens , I've raised this algorithm issue with our software team. Me or one of the other Mods will let you know what the developers say. 👍

Click here to see 'How to set up Emergency SOS on your Galaxy Smartphone'

AntS · ‎26-05-2020

@dannmartens , Are you able to share the following info for the developers?

Version number of the Email app you're using
Your device name/model number
OS version of the device

Click here to see 'How to set up Emergency SOS on your Galaxy Smartphone'

AntS · ‎28-05-2020

Hi all,

An update from the developers on this:

"When the "require signed SMIME message" policy is set as true, then the user is not able to change the sign algorithm. In most cases the default is SHA1.

However, if this policy is not forced (So it is set as "false"), then the S/MIME message will be sent according to what is in the Security Settings.

It seems, that the user has had the proper settings selected, but the proper algorithm was not selected (from Security Settings). So the development team has already prepared a fix for that and in one of the future updates it should work fine."

Click here to see 'How to set up Emergency SOS on your Galaxy Smartphone'

JAMES4578 · ‎28-05-2020

Thanks for updating for those concerned @AntS , hopefully a fix soon.

On another point members have various levels of expertise but indeed we all have something to learn. The report function is only there to report inapproprate comments that go against terms and conditions.

I do not work for Samsung or make Samsung Products but provide independent advice and valuable contributions.