[Enigmail] MIME multipart/signed and the risk of followon MIME parts
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue May 5 09:01:07 PDT 2009
Hi Enigmail people--
I sign my messages with enigmail using PGP/MIME.
The messages start out like this (parts are labeled with letters for
later reference):
*-+ Content-Type: multipart/signed (X)
+-- Content-Type: text/plain (Y)
+-- Content-Type: application/pgp-signature (Z)
When i send messages to mailing lists (like this one), the list software
appears to wrap the whole thing in an additional MIME layer, so that it
looks like this:
*-+ Content-Type: multipart/mixed (A)
+--+ Content-Type: multipart/signed (X)
| +-- Content-Type: text/plain (Y)
| +-- Content-Type: application/pgp-signature (Z)
+-- Content-Type: text/plain (disposition: inline) (B)
(B) in this case is the mailing list footer.
My concern is that Enigmail validates the multipart/signed bit, and
displays the "Good signature from..." message, but *also* displays part
B (after a horizontal rule).
I know at this point that only the displayed material before the
horizontal rule is what's actually signed, but it seems to me like a
malicious MTA could just as easily inject nasty stuff there and casual
enigmail users would not realize that the stuff in (B) was not actually
signed by the author of the e-mail.
Any thoughts about how to make this distinction clearer in the UI?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: <http://www.mozdev.org/pipermail/enigmail/attachments/20090505/84515ce0/attachment.bin>
More information about the Enigmail
mailing list