[Bug 145264] New: Kmail does not encrypt all parts of a message

Jörg Hermsdorf yojoe at schneebrett.com
Thu May 10 14:16:34 BST 2007 

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
         
http://bugs.kde.org/show_bug.cgi?id=145264         
           Summary: Kmail does not encrypt all parts of a message
           Product: kmail
           Version: unspecified
          Platform: SuSE RPMs
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: crash
          Priority: NOR
         Component: general
        AssignedTo: kdepim-bugs kde org
        ReportedBy: yojoe schneebrett com


Version:            (using KDE KDE 3.5.6)
Installed from:    SuSE RPMs

I just found out a serious security bug in KMail.
My platform: openSUSE 10.2
KDE 3.5.6 "Release 77.1"

I'm using InlineOpenPGP/MIME with GPG keys. My default settings are "encrypt when ever possible" and "sign whenever possible". Usually this works fine, I create a new message to a contact whose public GPG key is correctly assigned in the addressbook. I click send, KMail shows me the dialog which keys it will use for encryption and signing, I enter my passphrase and the message goes out encrypted.

Today, I found out by accident, that not all parts of a message are encrypted under certain circumstances:
This is the case when I create a message as usual, but add an attachment. In the attachment frame I check the two checkboxes 'encrypt' and 'sign'. I click send, the used keys are shown, I enter my passphrase and the message is sent. But the text part of my message has not been encrypted.. it was sent in plain text, only the attachment was encrypted. This is very dangerous, because I assumed that all parts of my message would be encrypted.

Strangely, If I create a message and DON'T CHECK, the 'encrypt' and 'sign' checkboxes for attachments, all parts of the message will be encrypted.

I think this is a serious bug, please fix this soon. Anyway, those kind of bugs can always be there, I whish there was a last step in the workflow of sending encrypted mails, where you have the chance to inspect the email in raw format, to be sure that everything is really encrypted as expected, before the message is actually sent out. Trust in KMail is good, but control is even better!

More information about the Kdepim-bugs mailing list