On 04.01.18 14:38, Lachezar Dobrev wrote: > 2018-01-03 19:04 GMT+02:00 Daniel Kahn Gillmor <[email protected]>: >> On Wed 2018-01-03 14:39:55 +0200, Lachezar Dobrev wrote: >>> Recently I've been greeted with a red warning every time I try to >>> reply to an encrypted message saying: >>> >>> "Beware of leaking sensitive information - partially encrypted email." >>> >>> With a Details button that shows a pop-up: >>> >>> """ >>> The message you are editing was partially encrypted. That is, the >>> message contains unencrypted and encrypted parts. Some encrypted >>> message parts may even be invisible to you. >>> >>> If the sender was not able to decrpyt the message parts originally, it >>> is likely that you only got the email with some surrounding >>> unencrypted text in order to make you reveal the encrypted >>> information. >>> """ >>> (the "decrpyt" is a spelling mistake as is) >>> >>> What does this actually mean, and why does it show on every message >>> I try to reply to? >>> >>> I have checked, and the mail is encrypted with the same two keys >>> that the reply is going to be encrypted with: one is mine, the other >>> is the one for the original sender. >> >> This is about CVE-2017-17844. The attack these warnings aim to mitigate >> against goes like this: >> >> * attacker gets a copy of an encrypted message X that had been sent to >> you >> >> * attacker creates a new message Y to you, and embeds encrypted message >> X somewhere in the tail of message Y (the long chain of quoted, >> attributed text that everyone ignores because top-posting is somehow >> the expected norm). >> >> * you receive message Y, and reply to it (composing a new e-mail to the >> attacker). >> >> * without the warning, it's likely that enigmail will decrypt the >> quoted message and place the cleartext in the new reply message. >> >> >> However, it sounds like you're seeing this warning trigger on every >> e-mail reply, which seems unlikely to be the intended situation. >> >> What do your inbound e-mails look like? how are they structured? are >> they PGP/MIME, or inline PGP? if they're inline PGP, is there a lot of >> text around the encrypted blob? >> >> --dkg > > Hm, that does make sense. > I made a test: sent myself a pair of PGP/MIME and a pair of > Inline-PGP messages (one with signature, another unsigned). Trying to > reply to the PGP/MIME message works as expected. Trying to reply to > the Inline-PGP was met with the "Beware..." warning. I also noticed > that most my peers are using Inline-PGP 'cause android... > I also noticed, that when cancelling the replies to the Inline-PGP > messages Thunderbird asks to save the draft even with no new content, > while cancelling the replies to the PGP/MIME message goes through. I > suspect it is due to the way Inline-PGP messages work (the content is > decrypted in-place). > > The Inline-PGP mail seems to be really blank: > """ > To: obfuscated > From: obfuscated > Subject: Test > Message-ID: <obfuscated> > Date: Thu, 4 Jan 2018 15:15:55 +0200 > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 > Thunderbird/52.5.0 > MIME-Version: 1.0 > Content-Type: text/plain; charset=utf-8 > Content-Language: bg > Content-Transfer-Encoding: 8bit > > -----BEGIN PGP MESSAGE----- > Charset: utf-8 > > hQIOAxxQ0nrmqQMHEAf7BkQcd2+kZmXLrDOkUPpHf41/P3cssK4aslN+yuMPEQg5 > ... stripped 16 lines ... > cBrNYUYb > =cT46 > -----END PGP MESSAGE----- > """ > > If I understand correctly this is something I should get accustomed with.
The question is, what is the text that is above and below the decrypted message. I try not to display the warning if the message was completely inline-PGP encrypted, but that's pretty hard to do in the message composition window (where the original message is no longer available). You could also ask your peers to install K-9 (plus OpenKeychain), or R2Mail2. Both can create and read PGP/MIME messages just fine. -Patrick
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
