[Bug 145264] New: Kmail does not encrypt all parts of a message
Jörg Hermsdorf
yojoe at schneebrett.com
Thu May 10 14:16:34 BST 2007
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
http://bugs.kde.org/show_bug.cgi?id=145264
Summary: Kmail does not encrypt all parts of a message
Product: kmail
Version: unspecified
Platform: SuSE RPMs
OS/Version: Linux
Status: UNCONFIRMED
Severity: crash
Priority: NOR
Component: general
AssignedTo: kdepim-bugs kde org
ReportedBy: yojoe schneebrett com
Version: (using KDE KDE 3.5.6)
Installed from: SuSE RPMs
I just found out a serious security bug in KMail.
My platform: openSUSE 10.2
KDE 3.5.6 "Release 77.1"
I'm using InlineOpenPGP/MIME with GPG keys. My default settings are "encrypt when ever possible" and "sign whenever possible". Usually this works fine, I create a new message to a contact whose public GPG key is correctly assigned in the addressbook. I click send, KMail shows me the dialog which keys it will use for encryption and signing, I enter my passphrase and the message goes out encrypted.
Today, I found out by accident, that not all parts of a message are encrypted under certain circumstances:
This is the case when I create a message as usual, but add an attachment. In the attachment frame I check the two checkboxes 'encrypt' and 'sign'. I click send, the used keys are shown, I enter my passphrase and the message is sent. But the text part of my message has not been encrypted.. it was sent in plain text, only the attachment was encrypted. This is very dangerous, because I assumed that all parts of my message would be encrypted.
Strangely, If I create a message and DON'T CHECK, the 'encrypt' and 'sign' checkboxes for attachments, all parts of the message will be encrypted.
I think this is a serious bug, please fix this soon. Anyway, those kind of bugs can always be there, I whish there was a last step in the workflow of sending encrypted mails, where you have the chance to inspect the email in raw format, to be sure that everything is really encrypted as expected, before the message is actually sent out. Trust in KMail is good, but control is even better!
More information about the Kdepim-bugs
mailing list