# tentatively lowering severity, but I still think it's a security risk severity 739828 important tags 739828 + security # the referenced upstream bug seems unrelated to this? notforwarded 739828 notfixed 739828 enigmail/2:1.6-1 # issue is still there found 739828 2:1.7.2-1~deb7u1 thanks
Hi, Sorry for leaving this bug unanswered so long. I don't much use enigmail/icedove any more. But I checked today with the latest enigmail in wheezy that this issue is still present. I notice something new I didn't realise before. One of the attachments in the mail (ForwardedMessage.eml) *was* signed by me (in the detached signature.asc, also attached), and that's the signature really being verified here. The attach screenshot illustrates this. The problem is that the first/main part of the message (see https://lists.debian.org/debian-bsd/2014/02/msg00244.html) is not signed at all. Anything could be written there, the headers could be forged, and the user interface would still show green / "Good signature from <...>". (The timestamp of the signature at the top, and list of attachments at the bottom are not expanded/shown by default). An imposter would simply attach an old, legitimately signed mail from the sender to be spoofed, and enigmail would make the whole mail appear to be genuine. Regards, -- Steven Chamberlain ste...@pyro.eu.org
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pkg-mozext-maintainers mailing list Pkg-mozext-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mozext-maintainers