enigma plugin: gpg redressing attack

[hannob]

I want to report a security vulnerability in the way signed messages are displayed in the enigma plugin.

Signed messages are displayed with a green box in the message window. As this is space that is controlled by the sender of a mail it should be considered attacker controlled.

An attacker trying to fake a mail signature can simply rebuild that green box with HTML/CSS and add that to the top of the mail. (I skipped creating a PoC for this, as I already did this for several other mail clients and rebuilding things in HTML gets boring, but it should be straightforward obvious that this is possible.)

The information about a valid signature must not be displayed in attacker-controlled space. One way of fixing this is to put the signature info box above the mail headers. (This is what enigmail did after I reported it to them.)

[jensvoid]

Note that this issue also applies to the way S/MIME signatures are presented to the user by Roundcube/Enigma.

[alecpl]

Problem is that sometimes we have to display these boxes inline, e.g. when you have a few signed messages attached to another message. Displaying all boxes on top for such a case would be strange and wrong.

Another option would be to add user-configurable background pattern like Security Background in Mailvelope, either for the email body or the signature status box.

[alecpl]

Proposed solution: #6759.

[lambdafu]

As an alternative, maybe consider opening attachments in their own tab or window. There is a huge benefit from having only one signature or encryption context per message. Then you can also verify that the scope of that context is the whole email and mitigate wrapping attacks.

[MattyShires]

Has any action been done on this?

[alecpl]

No. There's a PR waiting for comments and some more considerations if it's a appropriate way of fixing the issue.