On Wed 2018-01-03 14:39:55 +0200, Lachezar Dobrev wrote: > Recently I've been greeted with a red warning every time I try to > reply to an encrypted message saying: > > "Beware of leaking sensitive information - partially encrypted email." > > With a Details button that shows a pop-up: > > """ > The message you are editing was partially encrypted. That is, the > message contains unencrypted and encrypted parts. Some encrypted > message parts may even be invisible to you. > > If the sender was not able to decrpyt the message parts originally, it > is likely that you only got the email with some surrounding > unencrypted text in order to make you reveal the encrypted > information. > """ > (the "decrpyt" is a spelling mistake as is) > > What does this actually mean, and why does it show on every message > I try to reply to? > > I have checked, and the mail is encrypted with the same two keys > that the reply is going to be encrypted with: one is mine, the other > is the one for the original sender.
This is about CVE-2017-17844. The attack these warnings aim to mitigate
against goes like this:
* attacker gets a copy of an encrypted message X that had been sent to
you
* attacker creates a new message Y to you, and embeds encrypted message
X somewhere in the tail of message Y (the long chain of quoted,
attributed text that everyone ignores because top-posting is somehow
the expected norm).
* you receive message Y, and reply to it (composing a new e-mail to the
attacker).
* without the warning, it's likely that enigmail will decrypt the
quoted message and place the cleartext in the new reply message.
However, it sounds like you're seeing this warning trigger on every
e-mail reply, which seems unlikely to be the intended situation.
What do your inbound e-mails look like? how are they structured? are
they PGP/MIME, or inline PGP? if they're inline PGP, is there a lot of
text around the encrypted blob?
--dkg
signature.asc
Description: PGP signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
