On 11/04/2014 10:58 AM, HW42 wrote: > [I'm reporting this here and not on the bug tracker since I don't want > to agree to a few pages TOS for reporting a bug (sf account required)] > > When an correctly PGP/MIME signed email is attached to an unsigned > email enigmail wrongly verifies the attached mail and not the real mail.
yes, this is a problem, and was noted on this list back in march of 2013 :( http://thread.gmane.org/gmane.comp.mozilla.enigmail.general/17707/focus=17839 The best proposed fix i've seen was from Eduard Christian Dumitrescu: http://thread.gmane.org/gmane.comp.mozilla.enigmail.general/17707/focus=17924 but i don't think anyone has implemented it. > > This is critical since this allows an attacker to write mails which > looks to the receiver as if they were singed correctly by another > person (If the attacker has access to one correctly singed PGP/MIME > mail from the person she wants to imitate). > > Steps to reproduce: > > - Write a PGP/MIME singed mail (use a subject without spaces). > - Forward the received mail as attachment and add some text. Don't sign > or encrypt the forwarded mail. You can add arbitrary text here. > - Open the forwarded mail. > In the last step enigmail shows the security info for the attached mail > and not for the content of the mail. Therefore you get a correctly > signed by ... message instead of the info that the content was unsigned. > > Tested with enigmail version 1.7.2 and thunderbird 31.2.0 (both the > debian as well as the archlinux versions are affected so that is > probably not distribution specific). agreed, i can confirm that this is also the case with enigmail 1.7.2 and icedove 33.0~b1 --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
