On 2016-01-29 16:08:33 (+0100), Benny Kjær Nielsen
<[email protected]> wrote:
On 27 Jan 2016, at 23:56, Philip Paeps wrote:
How would I go about changing the style of partially signed messages?
I am guessing it's something like this but with different `type=`
and `subtype=` parameters.
div.bodypart[type=message][subtype=rfc822] { }
No, that would target embedded emails (“Forward as Attachment”).
[...]
It was a quick hack to make sure that MailMate clearly indicates if
someone has taken a signed email and extended its content with
unsigned body part(s). This is essentially what often happens on the
mailing list when the footer is added.
I really like this feature, quick hack or no! It's nice to be able to
distinguish in a message with some parts signed and some parts not,
which parts and signed (and whether I can trust them). The
green/yellow/red borders around different parts of the message are
great. Except with my stylesheet.css tinkering I got very low-contrast
bright yellow on dim yellow.
Note that this message is actually a good example: the Apple security
mail you included was signed and MailMate shows exactly which parts are
signed and which parts aren't. Excellent.
I've now changed it such that you can style it with a custom
stylesheet. Look for `div.security` in the default stylesheet. I
haven't changed how it looks (which is pretty ugly). You are welcome
to share it if you come up with something better.
Thanks! I'll tinker with this some more (see if I can make the yellow
on yellow go away) and share my diff against stylesheet.css in case
anyone wants it.
At least it appears it's not possible to put the unsigned content
before the signed content. It doesn't trigger a warning, but Apple
Mail then simply ignores that the message has signed parts at all.
Arguably, being able to prepend or append data without clear indication
that this has been done is equally bad. Imagine an email with a signed
invoice which has been intercepted and mangled by an attacker to include
"please pay XXX to our account YYYY" below the invoice. Contrived
example perhaps, but it's Friday afternoon, I couldn't think of anything
better.
I just realized that it *is* possible to make the signed part appear
as an attachment. By providing a filename then it's even possible to
make it appear as if it's some kind of failed logo. [...]
Oops. That is terrible. That makes it look like the whole message has
been signed. If all you need to make a whole message look like it's
signed by a trustworthy sender, is any trusted message from such a
sender, you can cause a lot of trouble.
I haven't checked any other email clients, but I doubt it's a common
issue. I'm guessing most email clients would just ignore that the
email is signed and/or encrypted.
The only other client I have significant experience with is Mutt, which
like MailMate tells you the status of each part of multipart messages.
Something like:
[-- Attachment #1 --]
[-- Type: multipart/signed, Encoding: 7bit, Size: 1.5K --]
[-- PGP output follows (current time: Fri Jan 29 16:30:28 2016) --]
This is the literal output from gpg --verify. Mutt allows you to
highlight based on regular expressions so it's easy to highlight
whether the signature is good or bad and what's wrong with it if
it's bad.
[-- End of PGP output --]
[-- The following data is signed --]
The signed part is here. If there are multiple signed parts, they
are individually delimited with [-- --] markers like this.
[-- End of signed data --]
[-- Attachment #2 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.1K --]
This would be a mailing list footer for instance.
Mutt displays OpenPGP and S/MIME signed messages identically (only with
the output from OpenSSL rather than GnuPG, obviously). It's pretty
clear to identify which parts are signed and which parts aren't.
Also don't interpret it as me stating that MailMate is more secure
than Apple Mail.
As far as PGP and S/MIME go, I think you're doing a much better job than
Mail.app. It's very important to be able to tell which parts are signed
and which parts aren't in a complex multipart message. Being able to
make a whole message appear to be signed by including a signed
attachment is simply terrible.
I have attached the example email if anyone wants to try it out in
Apple Mail or other email clients. That should also test how MailMate
handles it...
I've looked at this message in Mutt. It's pretty clear which part is
signed and which part isn't. My Mutt doesn't have access to root
certificates (I get very little S/MIME mail, and those people I get it
from, are explicitly trusted) so it can't tell me anything about how
trustworthy the signed part is, but it tells me which part it is.
[-- Attachment #3: The world is going under tomorrow.eml --]
[-- Type: message/rfc822, Encoding: 7bit, Size: 7.3K --]
Date: Sun, 16 Jan 2013 16:31:36 -0800
[...]
Message-id: <[email protected]>
[-- Attachment #1: logo.png --]
[-- Type: multipart/signed, Encoding: 7bit, Size: 6.6K --]
[-- OpenSSL output follows (current time: Fri Jan 29 16:35:20 2016)
--]
[-- End of OpenSSL output --]
[-- The following data is signed --]
I’ve noticed that in some systems [...]
[-- End of signed data --]
[-- Attachment #2 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.1K --]
This text is unsigned. [...]
[-- Attachment #3: attachment.txt --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.1K --]
The same goes for attachments.
[-- Attachment #4 --]
[-- Type: text/plain, Encoding: base64, Size: 0.2K --]
(mailing list footer here)
...and this shows that MailMate does not like the `attachment`
disposition of the `multipart/signed` body part. It is shown both
inline (as it should) and as an attachment (which is shouldn't).
Worse, clicking “Quick Look” shows the wrong attachment.
Oops. :-)
Once upon a time, there was a MIME test suite on the web at
http://www.imc.org/mimetest/. It's been taken offline because it was
being abused by spammers. Perhaps you can still find it on archive.org
though. If not: one of its authors uses MailMate and is subscribed to
this mailing list (small world). Perhaps he has a local copy. ;-)
Hold down ⌥ when clicking “Check Now” in the Software Update
preferences pane to get the test release.
Excellent! Many thanks!
A few more comments in stylesheet.css would be helpful. :)
Apparently I'm too busy ranting on the mailing list :-)
I know how you feel. :)
Philip
--
Philip Paeps
Senior Reality Engineer
Ministry of Information
_______________________________________________
mailmate mailing list
[email protected]
http://lists.freron.com/listinfo/mailmate
