Package: emacs24-el Version: 24.3+1-2 Severity: normal Hi emacs maintainers!
in /usr/share/emacs/24.3/lisp/gnus/mml2015.el.gz i see this variable definition: (defcustom mml2015-always-trust t "If t, GnuPG skip key validation on encryption." :group 'mime-security :type 'boolean) This is a security risk for users of encrypted mail. i believe it should be set to nil by default. Here's why: Consider Alice, who has OpenPGP certificates for "Bob <[email protected]>" and "Carol <[email protected]>" in her keyring (in that order). She has certified them both, so there is one valid primary key for [email protected] and one valid primary key for [email protected]. Bob turns evil (or maybe his key is compromised) and he adds a new User ID: "Bob <[email protected]>" to his OpenPGP cert. He publishes the update to the keyservers. Alice, following best practices, updates her keyring from the keyservers regularly. Alice's keyring now has two certs that have a "[email protected]" user ID in them. One of them is valid, and the other one is not. Alice now composes a message to "Carol <[email protected]>" and marks it with: <#secure method=pgpmime mode=signencrypt> As the message goes out, mml-mode just passes the e-mail address [email protected] to gpg to encrypt the message body, and gpg uses the e-mail address to select a key. Since Bob's key is first in the keyring, it is the one that will be used. Bob then sneaks a peak at Carol's e-mail (maybe they're delivered to the same server, or he has a machine on the same network), catches the message in transit, and can decrypt the content, violating Alice's message confidentiality expectations. Please set mml2015-always-trust to default to "nil" instead of "t". --dkg -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages emacs24-el depends on: ii emacs24-common 24.3+1-2 emacs24-el recommends no packages. emacs24-el suggests no packages. -- debconf-show failed -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
