thunderbird openpgp (enigmail) does not TELL if message was signed or not! (missing icon and info for encrypted+SIGNED in OpenPGP/MIME mode)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Enigmail |
Fix Released
|
Medium
|
|||
enigmail (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: enigmail
ii thunderbird 2.0.0.23+
ii enigmail 2:0.95.7-1ubuntu2
Ubuntu 9.10 64 bit.
For OpenPGP/MIME messages (so, the best format for OpenPGP in emails),
if the email is both encrypted and signed,
Thunderbird does NOT show the SIGNED icon!
This is a very big problem.
Then users must either...
1) NOT check if message was SIGNED - this is very confusing, users may get used to "oh, Decrypted message means it was probably signed+encr" and then they can be tricked by impersonation attack!
2) Not encrypted messages, only sign them - but this is obviously less secure
3) Use inline OpenPGP instead OpenPGP/IMAP... but this is very bad if you use attahcments - they are not signed nor encrypted!
This is a security risk since it makes it much more likely for users that do not fully understand the above niuanses to miss-use OpenPGP or be tricked, even if the sender uses proper setup of OpenPGP/MIME + encrypted + signed.
Attachment image shows the problem:
in kmail (works) and in thunderbird (fails)
OpenPGP/IMAP and Inline PGP
summary: |
thunderbird openpgp (enigmail) does not show the SIGNED icon when - message is both encyrpted and SIGNED in OpenPGP/MIME mode + message is both encrypted and SIGNED in OpenPGP/MIME mode |
Changed in enigmail: | |
status: | Unknown → Fix Released |
Changed in enigmail (Ubuntu): | |
assignee: | nobody → Ezra Reeves (ezrareeves) |
Changed in enigmail (Ubuntu): | |
status: | Confirmed → In Progress |
Changed in enigmail: | |
importance: | Unknown → Medium |
This bug is known by upstream https:/ /www.mozdev. org/bugs/ show_bug. cgi?id= 5777 and is fixed there