[kmail2] [Bug 404698] Decryption Oracle based on replying to PGP or S/MIME encrypted emails
Sandro Knauß
bugzilla_noreply at kde.org
Fri Apr 26 12:00:21 BST 2019
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #16 from Sandro Knauß <sknauss at kde.org> ---
(In reply to Jens Mueller from comment #15)
> @David: This would mean if you attach a non-encrypted image to an
> encrypted...
>
> Absolutely, such an email could not be decrypted anymore if you follow our
> suggestions (or had to be manually decrypted on the command line). While
> this may seem a bit harsh, we have not seen any mail client that allows to
> send such "partially encrypted" emails (e.g., with unencrypted attachments),
> and I think handling such edge cases can become a security nightmare. Either
> the whole mail is encrypted or it's not, everything else gives a false sense
> of security, imho.
One client that supports sending encrypted mails with unencrypted attachment is
kmail (but you need to do it explicitly).
One common use case, of such partial encrypted mails are mails forwarded via
Mailman. Mailman adds a non encrypted footer to each email. So not supporting
these mails make would break my workflow. This was the reason, why I fixed a
several things, because I didn't wanted to see this footer in the reply ;D And
I see a big difference between displaying such broken mails and replying.
> However, I see the developer's perspective and the and the fear of
> potentially breaking things, too. I guess a rule like "in case of an
> encrypted, multipart email, reply only with the first part" *should* be fine
> too.
I think so, too, that reply to only one part you be fine.
> @Sandro: We originally tested in version 5.2.3 on Debian 9.8 (stretch). This
> version is probably outdated by now.
yes! Did you tested any other version?
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list