[kmail2] [Bug 335117] Information leak when using GPG on Bcc recipients
Sandro Knauß
bugzilla_noreply at kde.org
Wed Jan 24 10:43:36 GMT 2018
https://bugs.kde.org/show_bug.cgi?id=335117
Sandro Knauß <sknauss at kde.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WAITINGFORINFO
Status|CONFIRMED |NEEDSINFO
--- Comment #8 from Sandro Knauß <sknauss at kde.org> ---
Well no:
See the way Kmail solves this problem of not leaking hidden information is
different than eg Thunderbird does. Instead of sending one mail to everyone, as
is normally done in Thunderbrd, KMail sends different mails to different
recipients. One mail is encrypted for the "normal recipients (To + CC)" and
sent only to them. And then, for each BCC recipient, one individual mail is
created and sent, all of which are only encrypted for one single BCC recipient.
So the BCC recipients DO NOT see the other keys and more importantly, the
normal recipients DO NOT see the keys of the BCC recipients, as this
information is sent in multiple (depending on the number of recipients and if
they are To, CC or BCC) individual mails. I don't see any leakage of keys here.
The hidden feature of gpg would be needed if KMail were to send only one mail
to all recipients. But the way KMail solves this issue (as described above),
this hidden feature is not needed. And additionally also with the -R feature
the "normal recipients" would see: 'okay the mail was encrypted for additional
keys' (but without knowing what these keys are).
Since KMail sends two types of mail, independent of each other, no information
leakage is possible. And not even the information that there are BCC recipients
(ie, that there are two types of mail sent), is leaked.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list