[kmail2] [Bug 404698] Decryption Oracle based on replying to PGP or S/MIME encrypted emails
David Faure
bugzilla_noreply at kde.org
Sun Apr 21 18:14:23 BST 2019
https://bugs.kde.org/show_bug.cgi?id=404698
David Faure <faure at kde.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |faure at kde.org
--- Comment #11 from David Faure <faure at kde.org> ---
Interesting problem. Here's my feedback.
- Preventing KMail from *sending* such messages would obviously be no help (one
could just craft that message by hand or using another email client).
- Preventing the user from replying to such a message would be very weird user
experience (sorry, you are not allowed to reply to this message!)
- So I guess the best solution is that when replying, we don't decrypt parts
that were encrypted in the original message. I.e. if we are replying with a
copy of those parts, and they were encrypted, they should be copied "as is".
This would prevent any newly-added recipient from reading those, but that's
fair enough I would say.
I wouldn't really know how to implement this though.
Might be tricky if the tree in memory only has the decrypted version.
- Alternatively, KMail could say "for security reasons, these parts are going
to be removed from your reply". But this also requires that we somehow know
that these parts used to be encrypted in the original email.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list