Indeed, the message seems to have been munged somehow. You can see a screenshot of this in action here:
https://vc.gg/7NXkF0NP This is pretty easy to reproduce, but if you need any help reproducing it let me know and I can send you a test off this list. On 03/06/2016 03:17 PM, Vincent Canfield wrote: > Hi, > > I found recently that when someone sends me an E-mail signed by another, > the entire E-mail is treated as signed by that user. To recreate this > issue, you can do the following in Mozilla Thunderbird: > > - Take an E-mail signed with PGP/MIME and save it as whatever.eml > - Optionally, open the .eml file and take out the "From", "To", etc. > headers (will cause the E-mail to take up less space at the bottom) > - Send an E-mail to anyone using Enigmail with that .eml file as an > attachment > - Enigmail treats the entire message as being signed by the signee in > the .eml file > > I'm not sure if this mailing list will munge my attachment in some way, > but I have attached a signed message using a key I do not own as a test. > > I'm not sure this is the expected behavior, but it seems to cause > opportunity for impersonation by anyone in posession of at least one > PGP/MIME signed message. Considering non-PGP/MIME messages embedded in a > normal plaintext E-mail will result in the message "Part of the message > signed;" along with "BEGIN ENCRYPTED or SIGNED PART" descriptors, is > there any way to turn on similar behavior for PGP/MIME messages? > > Thanks, > > > > _______________________________________________ > enigmail-users mailing list > [email protected] > To unsubscribe or make changes to your subscription click here: > https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
