[kmail2] [Bug 404698] Decryption Oracle based on replying to PGP or S/MIME encrypted emails
Jens Mueller
bugzilla_noreply at kde.org
Fri Apr 26 11:09:00 BST 2019
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #15 from Jens Mueller <jens.a.mueller+kde at rub.de> ---
@David: This would mean if you attach a non-encrypted image to an encrypted...
Absolutely, such an email could not be decrypted anymore if you follow our
suggestions (or had to be manually decrypted on the command line). While this
may seem a bit harsh, we have not seen any mail client that allows to send such
"partially encrypted" emails (e.g., with unencrypted attachments), and I think
handling such edge cases can become a security nightmare. Either the whole mail
is encrypted or it's not, everything else gives a false sense of security,
imho.
However, I see the developer's perspective and the and the fear of potentially
breaking things, too. I guess a rule like "in case of an encrypted, multipart
email, reply only with the first part" *should* be fine too.
@Sandro: We originally tested in version 5.2.3 on Debian 9.8 (stretch). This
version is probably outdated by now.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list