https://bugs.kde.org/show_bug.cgi?id=398454
Bug ID: 398454
Summary: GPG signatures can be faked with HTML/CSS
Product: kmail2
Version: unspecified
Platform: Other
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: crypto
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 114876
--> https://bugs.kde.org/attachment.cgi?id=114876&action=edit
sample mail "signed" with CSS/HTML
In kmail signed mails are indicated by a green border around the mail content.
This can be almost perfectly simulated by rebuilding that border with an HTML
table. I've attached an example and screenshots of both a fake and a real mail
(they're visually identical, except for some minor font rendering details that
are invisible when not zooming in).
In the message list there's a small symbol indicating a signed message, so
there they can be distinguished, although I doubt anyone will notice. If a
message is opened in its own window there's no way to distinguish fake from
real.
The problem here is with the fact that a security indicator is part of an
"attacker-controlled" space, i.e. the content of a mail that gives the other
party extensive layout options.
--
You are receiving this mail because:
You are the assignee for the bug.
