hi enigmail folks-- package/mimeEncrypt.js contains two hardcoded references to "enig2" that are used to create the MIME boundaries when using PGP/MIME.
In many circumstances it is not a problem to leak the information that the mail sender is using enigmail specifically, but there are some users and some use cases where the user does not want to reveal their choice of software. See, for example, Tor's documentation about thunderbird and enigmail: https://trac.torproject.org/projects/tor/raw-attachment/wiki/doc/TorifyHOWTO/EMail/Thunderbird/Thunderbird%2BTor.pdf Is there a reason to use the "enig2" prefix in package/mimeEncrypt.js at all? Would it be possible to simply remove it (and maybe extend the size of the string returned by createBoundary() ? The attached patch implements the suggestion. Alternately, if a fixed prefix is necessary for the boundary (i don't know why that would be), maybe we could move that fixed prefix into an enigmail preference, so that users could override it if they needed? --dkg
diff --git a/package/mimeEncrypt.js b/package/mimeEncrypt.js index 9697a25..22e7259 100644 --- a/package/mimeEncrypt.js +++ b/package/mimeEncrypt.js @@ -183,7 +183,7 @@ PgpMimeEncrypt.prototype = { errorMsgObj); if (! this.proc) throw Cr.NS_ERROR_FAILURE; - this.cryptoBoundary = "----enig2"+this.createBoundary(); + this.cryptoBoundary = "----"+this.createBoundary(); this.startCryptoHeaders(); } @@ -307,7 +307,7 @@ PgpMimeEncrypt.prototype = { if (this.cryptoMode == MIME_ENCRYPTED) { let ct = this.getHeader("content-type", false); if ((ct.search(/text\/plain/i) == 0) || (ct.search(/text\/html/i) == 0)) { - this.encapsulate = "enig2"+this.createBoundary(); + this.encapsulate = this.createBoundary(); this.writeToPipe('Content-Type: multipart/mixed; boundary="'+ this.encapsulate+'"\r\n\r\n'); this.writeToPipe("--"+this.encapsulate+"\r\n"); @@ -426,7 +426,7 @@ PgpMimeEncrypt.prototype = { createBoundary: function() { var b = ""; - for (let i=0; i<20; i++) { + for (let i=0; i<25; i++) { b += String.fromCharCode(65 + Math.floor(Math.random() * 24)); } return b;
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net