Re: Enigmail warning

[Guilherme Andrade <g () gandrade net>]

Reproducible on OS X 10.9.4 with Thunderbird 31 + Enigmail 1.7 as well.


Cheers,

On 20/08/14 07:21, securitylists wrote:
> Hi,
>
> We were able to reproduce the bug by trying to send an encrypted message to a bcc recipient. The message was promptly 
> sent without encryption or confirmation. It is usually not very relevant to use bcc when sending messages encrypted 
> with public keys but it can be chosen by accident and it shouldn't break the encryption like that.
>
> Please let me know if you are able to reproduce this.
>
> The client was Thunderbird 31.0 running on Ubuntu with Enigmail 1.7.
>
> Antti Kurittu
> Information Security Specialist
> National Cyber Security Center NCSC-FI 
> Finnish Communications Regulatory Authority FICORA
> Itämerenkatu 3 A PL 313, 00181 Helsinki, Finland
> +358 29 539 0100 
> http://www.cert.fi/en/ 
> PGP-fingerprint: 00CC B1BF 86B9 C3D8 3B4B  6A16 C496 0441 42CF CA51
>
> -----Original Message-----
> From: Nick Boyce [mailto:nick.boyce () gmail com] 
> Sent: 18. elokuuta 2014 20:00
> To: oss-security () lists openwall com
> Subject: Re: [oss-security] Enigmail warning
>
> On 18 August 2014 07:22, Henri Salo <henri () nerv fi> wrote:
>
> > http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/
> > Quote from thread below:
> > Enigmail 1.7 is completely broken for my purposes.
> > Steps to reproduce the problem:
> >
> > 1) Write an email in TB.
> > 2) Ensure "Force encryption" in Enigmail.
> > 3) Ensure "Force signing" in Enigmail.
> > 4) Recheck encryption and signing settings... OK.
> > 5) Send the email.
> > 6) Look at the received email. OOPS. It is NOT signed
> >     and NOT encrypted.
>
> Um ... I see from the Enigmail "Announcements" forum [1] that some major changes have been made to the package over 
> the last 24 months:
> specifically a decision was made to replace older C++ code (with maintainability issues) by new pure Javascript code, 
> thus hopefully achieving platform, GPG and TB version independence
>
> You can see how that sort of upheaval in the codebase might result in horrible problems like this.
>
> [ I switched away from TB to Claws/Kmail some time ago, so this is all news to me, but up till that point the 
> behaviour of TB V3 - 10 and Enigmail 1.0/1 in encrypting my mail was never less than excellent for me. ]
>
> More relevantly, the (primary ?) author specifically asked [2] for testers to step up and test the new Javascript 
> version thoroughly
>
>   "In order to reduce the risk of severe errors in
>    the release versions, I will regularly ask for help
>    in testing after I completed such changes."
>
> which leaves me wondering how many stepped up to perform that task. It would be interesting - and maybe alarming - to 
> know.
>
> [1] http://sourceforge.net/p/enigmail/forum/announce/
> [2] https://www.enigmail.net/list_archive/2012-January/014667.html
>
> Nick
> --
> "Bob has a problem requiring secure communication.
>  He decides to use certificates.
>  Now Bob has two problems."

-- 
Guilherme

https://www.gandrade.net/
PGP: 0x35CB8191 / 1968 5252 3901 B40F ED8A  D67A 9330 79B1 35CB 8191

Attachment: signature.asc
Description: OpenPGP digital signature