Summary: | When forwarding a email as message/rfc822 attachment in a signed unencrypted email, header filtering leads to invalid signatures | ||
---|---|---|---|
Product: | [Applications] kmail2 | Reporter: | trempify |
Component: | composer | Assignee: | kdepim bugs <kdepim-bugs> |
Status: | REPORTED --- | ||
Severity: | wishlist | ||
Priority: | NOR | ||
Version: | 4.14.7 | ||
Target Milestone: | --- | ||
Platform: | Gentoo Packages | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Sentry Crash Report: |
Description
trempify
2016-01-30 17:26:00 UTC
A third possible workaround: don't sign the forwarded message, or include it in a separate multipart/signed part so that at least it is obvious that the forwarded message has been modified but the text written by me is intact. I would say my preferred solution is to strip all but a whitelist of headers from the forwarded message: the typical 'non-technical' user will not realise they are there and may inadvertently leak information through them. Someone who knows and cares about forwarding headers will still be able to 'View Source' and copy-paste the text (after mangling it so it will not be filtered). |