Bug 145264

Summary: Kmail does not encrypt all parts of a message
Product: [Unmaintained] kmail Reporter: Jörg Hermsdorf <yojoe>
Component: encryptionAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED UNMAINTAINED    
Severity: major CC: bjoern, quazgar
Priority: NOR    
Version: 1.9.6   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Jörg Hermsdorf 2007-05-10 15:16:33 UTC 
Version:            (using KDE KDE 3.5.6)
Installed from:    SuSE RPMs

I just found out a serious security bug in KMail.
My platform: openSUSE 10.2
KDE 3.5.6 "Release 77.1"

I'm using InlineOpenPGP/MIME with GPG keys. My default settings are "encrypt when ever possible" and "sign whenever possible". Usually this works fine, I create a new message to a contact whose public GPG key is correctly assigned in the addressbook. I click send, KMail shows me the dialog which keys it will use for encryption and signing, I enter my passphrase and the message goes out encrypted.

Today, I found out by accident, that not all parts of a message are encrypted under certain circumstances:
This is the case when I create a message as usual, but add an attachment. In the attachment frame I check the two checkboxes 'encrypt' and 'sign'. I click send, the used keys are shown, I enter my passphrase and the message is sent. But the text part of my message has not been encrypted.. it was sent in plain text, only the attachment was encrypted. This is very dangerous, because I assumed that all parts of my message would be encrypted.

Strangely, If I create a message and DON'T CHECK, the 'encrypt' and 'sign' checkboxes for attachments, all parts of the message will be encrypted.

I think this is a serious bug, please fix this soon. Anyway, those kind of bugs can always be there, I whish there was a last step in the workflow of sending encrypted mails, where you have the chance to inspect the email in raw format, to be sure that everything is really encrypted as expected, before the message is actually sent out. Trust in KMail is good, but control is even better!
Comment 1 Jörg Hermsdorf 2007-05-10 15:18:07 UTC 
Sorry, I didn't want to mark this as a 'crash', could somebody change this to 'bug' please?
Comment 2 Björn Ruberg 2010-01-06 01:32:13 UTC 
Is this still a problem in recent kmail?
Comment 3 quazgar 2013-06-03 21:36:26 UTC 
I just want to ask again: Can you still reproduce this in a current version of KMail? I for example cannot see the encryption checkboxes for inline any more with 4.10.2. Maybe a warning dialog would be ok?
Comment 4 Andrew Crouthamel 2018-09-04 18:22:32 UTC 
Hello! Sorry to be the bearer of bad news, but this version of Kmail has been unmaintained for many years so I am closing this bug. Please try using the latest version of Kmail to see if your issue persists. If it does, please submit a new bug in "kmail2". Thank you!