Comment 2 for bug 16325

Revision history for this message
Martin Pitt (pitti) wrote :

For some reason, bugzilla did not import the rather important reply to the
Debian bug. I spoke with Jonathan Riddell a while ago, and this is by far not a
serious bug, so let's defer this a little.

Talking to upstream, it seems that the bug isn't quite as serious as the
summary might suggest.

Here's Dirk Mueller:

---
It does affect kmail 3.4 the same way it affected all older versions.
however, this proof of concept is pretty lame. it doesn't match the colors,
the fonts or even the font sizes. of course you could theoretically tune
for that.

it doesn't have the usual link to the status popup though, and its clearly
mentioned in several places that HTML rendering has phishing problems, and
HTML rendering is *disabled* by *default* in kmail, and you get a pretty
huge warning if you still enable it.

anyway, the html bar also indicates that this is a spoofed message. maybe
not in an obvious way.

the only way we could mitigate this attack for real though is to load the
actual content in a separate frame, so that it cannot paint over kmail
specific HTML. This is a long term todo, and there are a few bits missing
in KHTML in order to achieve that.

so I'd either close it as wontfix or as duplicate, whatever you prefer.
---

So it would appear that while KMail's behaviour makes phishing easier than
it perhaps should be, in the real world far from a magical pass into the
the user's confidence.

Moreover, the only fix for the foreseeable future would be to disable HTML
mail completely (it's already off by default and comes with a security
warning). I don't believe that to be a reasonable course of action, as it
would severely reduce KMail's usefulness for many users with only a minimal
increase in theoretical security.