[Pkg-mozext-maintainers] Bug#739828: enigmail: mistaken identity of signature

Steven Chamberlain steven at pyro.eu.org
Mon Dec 15 22:41:04 UTC 2014


# tentatively lowering severity, but I still think it's a security risk
severity 739828 important
tags 739828 + security
# the referenced upstream bug seems unrelated to this?
notforwarded 739828
notfixed 739828 enigmail/2:1.6-1
# issue is still there
found 739828 2:1.7.2-1~deb7u1
thanks

Hi,

Sorry for leaving this bug unanswered so long.  I don't much use
enigmail/icedove any more.  But I checked today with the latest enigmail
in wheezy that this issue is still present.

I notice something new I didn't realise before.  One of the attachments
in the mail (ForwardedMessage.eml) *was* signed by me (in the detached
signature.asc, also attached), and that's the signature really being
verified here.  The attach screenshot illustrates this.

The problem is that the first/main part of the message
(see https://lists.debian.org/debian-bsd/2014/02/msg00244.html)
is not signed at all.  Anything could be written there, the headers
could be forged, and the user interface would still show green / "Good
signature from <...>".

(The timestamp of the signature at the top, and list of attachments at
the bottom are not expanded/shown by default).

An imposter would simply attach an old, legitimately signed mail from
the sender to be spoofed, and enigmail would make the whole mail appear
to be genuine.

Regards,
-- 
Steven Chamberlain
steven at pyro.eu.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: enigmail.png
Type: image/png
Size: 41760 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozext-maintainers/attachments/20141215/15c58bfc/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozext-maintainers/attachments/20141215/15c58bfc/attachment-0001.sig>


More information about the Pkg-mozext-maintainers mailing list