Hi, [I'm reporting this here and not on the bug tracker since I don't want to agree to a few pages TOS for reporting a bug (sf account required)]
When an correctly PGP/MIME signed email is attached to an unsigned email enigmail wrongly verifies the attached mail and not the real mail. This is critical since this allows an attacker to write mails which looks to the receiver as if they were singed correctly by another person (If the attacker has access to one correctly singed PGP/MIME mail from the person she wants to imitate). Steps to reproduce: - Write a PGP/MIME singed mail (use a subject without spaces). - Forward the received mail as attachment and add some text. Don't sign or encrypt the forwarded mail. You can add arbitrary text here. - Open the forwarded mail. In the last step enigmail shows the security info for the attached mail and not for the content of the mail. Therefore you get a correctly signed by ... message instead of the info that the content was unsigned. Tested with enigmail version 1.7.2 and thunderbird 31.2.0 (both the debian as well as the archlinux versions are affected so that is probably not distribution specific). HW42
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
