[kmail2] [Bug 398454] New: GPG signatures can be faked with HTML/CSS

Mon Sep 10 09:49:43 BST 2018

https://bugs.kde.org/show_bug.cgi?id=398454

            Bug ID: 398454
           Summary: GPG signatures can be faked with HTML/CSS
           Product: kmail2
           Version: unspecified
          Platform: Other
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: crypto
          Assignee: kdepim-bugs at kde.org
          Reporter: hanno at hboeck.de
  Target Milestone: ---

Created attachment 114876
  --> https://bugs.kde.org/attachment.cgi?id=114876&action=edit
sample mail "signed" with CSS/HTML

In kmail signed mails are indicated by a green border around the mail content.

This can be almost perfectly simulated by rebuilding that border with an HTML
table. I've attached an example and screenshots of both a fake and a real mail
(they're visually identical, except for some minor font rendering details that
are invisible when not zooming in).

In the message list there's a small symbol indicating a signed message, so
there they can be distinguished, although I doubt anyone will notice. If a
message is opened in its own window there's no way to distinguish fake from
real.

The problem here is with the fact that a security indicator is part of an
"attacker-controlled" space, i.e. the content of a mail that gives the other
party extensive layout options.

-- 
You are receiving this mail because:
You are the assignee for the bug.