thunderbird openpgp (enigmail) does not TELL if message was signed or not! (missing icon and info for encrypted+SIGNED in OpenPGP/MIME mode)

Bug #504738 reported by LimCore on 2010-01-08
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Enigmail
Fix Released
Medium
enigmail (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: enigmail

ii thunderbird 2.0.0.23+build1+nobinonly-0ubuntu1
ii enigmail 2:0.95.7-1ubuntu2

Ubuntu 9.10 64 bit.

For OpenPGP/MIME messages (so, the best format for OpenPGP in emails),
if the email is both encrypted and signed,
Thunderbird does NOT show the SIGNED icon!

This is a very big problem.
Then users must either...
1) NOT check if message was SIGNED - this is very confusing, users may get used to "oh, Decrypted message means it was probably signed+encr" and then they can be tricked by impersonation attack!
2) Not encrypted messages, only sign them - but this is obviously less secure
3) Use inline OpenPGP instead OpenPGP/IMAP... but this is very bad if you use attahcments - they are not signed nor encrypted!

This is a security risk since it makes it much more likely for users that do not fully understand the above niuanses to miss-use OpenPGP or be tricked, even if the sender uses proper setup of OpenPGP/MIME + encrypted + signed.

Attachment image shows the problem:
in kmail (works) and in thunderbird (fails)
OpenPGP/IMAP and Inline PGP

LimCore (limcore) wrote :
visibility: private → public
LimCore (limcore) wrote :

This bug is known by upstream https://www.mozdev.org/bugs/show_bug.cgi?id=5777 and is fixed there

Changed in enigmail (Ubuntu):
status: New → Confirmed
LimCore (limcore) on 2010-01-08
summary: thunderbird openpgp (enigmail) does not show the SIGNED icon when
- message is both encyrpted and SIGNED in OpenPGP/MIME mode
+ message is both encrypted and SIGNED in OpenPGP/MIME mode
Changed in enigmail:
status: Unknown → Fix Released

There is no work around;
No way to know if email you got was signed or not.

(Other then using other application for it, but that is really cumbersome)

summary: - thunderbird openpgp (enigmail) does not show the SIGNED icon when
- message is both encrypted and SIGNED in OpenPGP/MIME mode
+ thunderbird openpgp (enigmail) does not TELL if message was signed or
+ not! (missing icon and info for encrypted+SIGNED in OpenPGP/MIME mode)
C de-Avillez (hggdh2) wrote :

Setting to Medium. Tested on daily build of TB3, with EnigMail from Mozilla, works as expected.

I think this is worth considering for an SRU -- for those that do use encrypt+sign, the only option is to look at the source of the email.

Changed in enigmail (Ubuntu):
importance: Undecided → Medium
Ezra Reeves (ezrareeves) on 2010-01-09
Changed in enigmail (Ubuntu):
assignee: nobody → Ezra Reeves (ezrareeves)
Ezra Reeves (ezrareeves) on 2010-01-10
Changed in enigmail (Ubuntu):
status: Confirmed → In Progress
Ezra Reeves (ezrareeves) wrote :

The patch that upstream used to fix this problem appears to already be implemented in the Ubuntu package, so it seems there has been a regression bug somewhere. If that is indeed the case I would say that the importance should be raised. Tracking down the regression is over my head as I know nothing about JavaScript.

Changed in enigmail (Ubuntu):
status: In Progress → Confirmed
assignee: Ezra Reeves (ezrareeves) → nobody
Ezra Reeves (ezrareeves) wrote :

Removing the Ubuntu package and installing the plugin from http://enigmail.mozdev.org/home/index.php works if you really need this working.

Micah Gersten (micahg) wrote :

Marking triaged. Upstream confirmed there was a regression in 0.95.7 and here is a link to the diff in CVS that fixed it:
http://www.mozdev.org/source/browse/enigmail/src/ui/content/enigmailMessengerOverlay.js.diff?r1=1.130;r2=1.131
This was fixed upstream in 0.96

Changed in enigmail (Ubuntu):
status: Confirmed → Triaged
Micah Gersten (micahg) wrote :

This was fixed in the Lucid version of 1.0.1-0ubuntu1

Changed in enigmail (Ubuntu):
status: Triaged → Fix Released
Changed in enigmail:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.