[kmail2] [Bug 404698] Decryption Oracle based on replying to PGP or S/MIME encrypted emails
Daniel Vrátil
bugzilla_noreply at kde.org
Mon Apr 8 17:55:35 BST 2019
https://bugs.kde.org/show_bug.cgi?id=404698
Daniel Vrátil <dvratil at kde.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dvratil at kde.org
--- Comment #3 from Daniel Vrátil <dvratil at kde.org> ---
In KMail this attack requires that user would enable "Automatic decryption of
encrypted messages when viewing" option in KMail settings, which is disabled by
default.
Without this option enabled the user has to click on "Decrypt" on the part that
the attacker wants to leak. At this point, the user will still clearly see
which part of the content was encrypted and which part was not. When the user
wants to reply to this decrypted message, the content would indeed get leaked
to the attacker. However, I believe that at this point KMail has done enough to
prevent (by not enabling auto-decryption by default) and warn (by clearly
showing which part is encrypted and which not) the user so he or she could
judge for themselves the potential risks when replying to the message.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list