I've recently acquired an SMIME certificate and installed it in Outlook 2013. I set my brother up to do the same. So I used his certificate to send him an encrypted mail. He had an out of office Message, so I got a reply: "Re:[My Subject Matter] I'm out of office" All in PLAINTEXT!!! If the Auto-Responder is located on the Mail-Server, how is the mail server able to read the encrypted subject matter?
My brother is using the mac.com Mail server from Apple. Does this mean Apple lets users install their certificates on the Apple Servers? That would kind of defeat the purpose of SMIME.
Antwort1
The short answer is:
With S/MIME, the message body is encrypted, but the message headers are not, the subject being one of the latter.
In more detail, the above is true with the exception of the headers defining the original MIME content type which are extracted and added to the body before encrypting it. The MIME content type headers are then changed to something like application/pkcs7-mime; smime-type=enveloped-data, so the receiving email client knows how to handle the message contents (by decrypting it first).
In addition to that, proposals have been made to include the message subject in the encrypted part. For example, in theory, the subject header could be included in the encrypted part. The receiving email client should then display the encrypted subject. Unfortunately, none of the popular email clients seems to support the encryption of the message subject.
Update
It seems that there is some support of S/MIME encrypted headers in mail clients now. Mail clients seem to at least extract and display encrypted subject headers (in addition to the "normal" ones), but I'm not sure if there is a mail client yet that encrypts the subject in outgoing emails.