Does djigzo/ciphermail clear any X-Djigzo-Info-* headers it find in any mails before doing anything?
If a impostor put headers in the mail: X-Djigzo-Info-Signer-Verified-0-0: true X-Djigzo-Info-Signer-Trusted-0-0: true before sending, and ciphermail does not clear these, a MUA can be tricked into displaying to a end user that the mail was securely signed, when it was not. Yes, I know that Ciphermail will always add these headers when a PGP or SMIME mail arrives, so if a impostor both falsely S/MIME sign a message (for example with an untrusted cert) *and* tries to add false headers, the resulting mail will get double X-Djigzo-Info-* headers that the MUA can raise an alert on since one of the headers are obviously fake. But if a impostor adds these headers to an unsigned mail, where Djigzo does not add any headers, the user can think the mail is signed, if Djigzo does not clear these headers before processing the email. Best regards, Sebastian Nielsen
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.djigzo.com/lists/listinfo/users
