[kmail2] [Bug 404698] Decryption Oracle based on replying to PGP or S/MIME encrypted emails
Jens Mueller
bugzilla_noreply at kde.org
Sat Apr 13 13:29:02 BST 2019
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #7 from Jens Mueller <jens.a.mueller+kde at rub.de> ---
Exactly that's the problem. Note that not only one message, but hundreds of
captured messages can be wrapped and leaked with one single reply.
Traditional message takeover attacks under a new identity (C) are considered as
an acceptable risk in email e2e encryption because it is assumed that given the
context of the message (e.g.,“Hi A, [...] Yours, B”) B can tell that this
message is not originally from C and could easily discover the deception.
However, using MIME wrapping, C can make a different content being displayed to
B (if B does not carefully scroll down the whole message conversation) and
therefore potentially trick B into replying to C.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list