Bug 398454 - GPG signatures can be faked with HTML/CSS
Summary: GPG signatures can be faked with HTML/CSS
Status: RESOLVED FIXED
Alias: None
Product: kmail2
Classification: Applications
Component: crypto (show other bugs)
Version: unspecified
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: kdepim bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-10 08:49 UTC by hanno
Modified: 2018-09-11 05:08 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In: 5.10.0


Attachments
sample mail "signed" with CSS/HTML (1.09 KB, text/plain)
2018-09-10 08:49 UTC, hanno
Details
fake mail (25.42 KB, image/png)
2018-09-10 08:49 UTC, hanno
Details
real mail (25.42 KB, image/png)
2018-09-10 08:50 UTC, hanno
Details

Note You need to log in before you can comment on or make changes to this bug.
Description hanno 2018-09-10 08:49:43 UTC
Created attachment 114876 [details]
sample mail "signed" with CSS/HTML

In kmail signed mails are indicated by a green border around the mail content.

This can be almost perfectly simulated by rebuilding that border with an HTML table. I've attached an example and screenshots of both a fake and a real mail (they're visually identical, except for some minor font rendering details that are invisible when not zooming in).

In the message list there's a small symbol indicating a signed message, so there they can be distinguished, although I doubt anyone will notice. If a message is opened in its own window there's no way to distinguish fake from real.

The problem here is with the fact that a security indicator is part of an "attacker-controlled" space, i.e. the content of a mail that gives the other party extensive layout options.
Comment 1 hanno 2018-09-10 08:49:55 UTC
Created attachment 114877 [details]
fake mail
Comment 2 hanno 2018-09-10 08:50:06 UTC
Created attachment 114878 [details]
real mail
Comment 3 Laurent Montel 2018-09-10 11:43:01 UTC
Indeed I confirm this bug.
I will investigate how I can fix it.
Comment 4 Laurent Montel 2018-09-11 05:08:51 UTC
Git commit a19720ae8e0aa2074fe4f055bc0464948bdd0d36 by Laurent Montel.
Committed on 11/09/2018 at 05:07.
Pushed by mlaurent into branch 'master'.

Fix Bug 398454 - GPG signatures can be faked with HTML/CSS

FIXED-IN: 5.10.0

M  +27   -5    messageviewer/src/header/grantleeheaderformatter.cpp
M  +18   -2    messageviewer/src/messageviewerheaderplugins/defaultgrantleeheaderstyleplugin/theme/5.2/header.html

https://commits.kde.org/messagelib/a19720ae8e0aa2074fe4f055bc0464948bdd0d36