Closed Bug 1683701 Opened 5 years ago Closed 5 years ago

View Security Info shows incorrect information when Require Encryption is selected for S/MIME encryption - until draft message is saved

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Type:
defect

Tracking

(thunderbird_esr78+ fixed, thunderbird86+ fixed)

Status:
RESOLVED FIXED
Milestone:
87 Branch
Tracking Flags:
Tracking Status
thunderbird_esr78 + fixed
thunderbird86 + fixed

People

(Reporter: deric.sullivan, Assigned: mkmelin)

References

Details

Attachments

(2 files)

Before saving draft.png
8.05 KB, image/png
Details
bug1683701_smime_view_secinfo.patch
10.29 KB, patch
aleca
: review+
wsmwk
: approval-comm-beta+
wsmwk
: approval-comm-esr78+
Details | Diff | Splinter Review

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0

Steps to reproduce:

In Thunderbird, when writing an email, from the Security menu I select "Require Encryption", then from the same menu I select "View Security Info". The information shown seems incorrect.
If I save the email as draft and then "View Security Info" again, then the information seems correct. Or I can wait a while (presumably until a draft is automatically saved) and the information also becomes correct.

Note that if I send the email while the info seems incorrect, the message is still encrypted, so there does not appear to be a major security concern with this issue.

My setup: Thunderbird version 78.6.0 (64-bit) running on Linux (Ubuntu 20.04) and pulling certificates out of an LDAP server.

Actual results:

View Security Info will say:
"The contents of your message will be sent as follows:
Digitally signed: No
Encrypted: No"

Expected results:

View Security Info should say:
"The contents of your message will be sent as follows:
Digitally signed: Yes
Encrypted: Yes"

Do you also see this?

Flags: needinfo?(o.e.ekker)
Flags: needinfo?(mike.cloaked)

Note that my version of Thunderbird has been upgraded from 78.6.0 to now 78.7.0 and the issue is still present.

I can confirm this for S/MIME encryption: when I select Require Encryption from the Options menu and S/MIME from the Encryption Technology submenu under Options and immediately choose Message Security Info from the View menu, Digitally Signed and Encrypted is still shown as No, although the status of the certificates of the recipients is already shown correctly.

For OpenPGP messages, only the status of the keys of the recipients is shown, to the security info for such messages is shown correctly.

Flags: needinfo?(o.e.ekker)
Summary: View Security Info shows incorrect information when Require Encryption is selected - until draft message is saved → View Security Info shows incorrect information when Require Encryption is selected for S/MIME encryption - until draft message is saved

Seems ok on trunk, even if the UI is a bit confusing. Unless all the recipients' keys are known and listed as valid, it will show the no's. If I try to send to myself (for which I of course have the key), it does show Yes, Yes.

For me, when sending to a single recipient, the View Security Info shows No, No even if the recipient certificate status shows as Valid.

For me it also shows No No, until the draft is saved...

Note that the issue can be seen in the reverse situation as well. I can prepare an email for sending with encryption (S/MIME), save as draft so the View Security Info shows Yes, Yes, then de-select Encryption (choose "Do Not Encrypt" from the Security pull down menu), and View Security Info again. This time Yes, Yes will be shown when I would expect it to be No, No. If I again save as draft, the information will be OK if I select View Security Info again.

(In reply to Magnus Melin [:mkmelin] from comment #4)

Seems ok on trunk, even if the UI is a bit confusing. Unless all the recipients' keys are known and listed as valid, it will show the no's. If I try to send to myself (for which I of course have the key), it does show Yes, Yes.

I checked in latest Daily, but I still see this problem. Don't know how you checked? Maybe the draft was already saved.
Furthermore, if you close the draft message after saving and reopen it, again the wrong info is shown, until the next (auto) save of the message.

Yes, I think what happened is the auto-draft got saved. I've found the problem and have a patch I'm testing.
It looks like this is a very old problem.

Assignee: nobody → mkmelin+mozilla
Status: UNCONFIRMED → ASSIGNED
status-thunderbird86: --- → affected
status-thunderbird_esr78: --- → affected
tracking-thunderbird86: --- → +
tracking-thunderbird_esr78: --- → +
Ever confirmed: true
Flags: needinfo?(mike.cloaked)
Target Milestone: --- → 87 Branch

https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=8dc8190333beac7138f164804e74023ae8a408ba (just started)

Getting rid of the global gSMFields. The changes in enigmail code are not changing anything, just updating the references (dead/uncommented code atm)

Attachment #9200965 - Flags: review?(alessandro)
Comment on attachment 9200965 [details] [diff] [review] bug1683701_smime_view_secinfo.patch Review of attachment 9200965 [details] [diff] [review]: ----------------------------------------------------------------- Indeed, this fixes the problem.
Attachment #9200965 - Flags: review?(alessandro) → review+
Keywords: checkin-needed-tb

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/8f36cf1cf596
make viewing S/MIME security info during compose show the right values. r=aleca

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

Comment on attachment 9200965 [details] [diff] [review]
bug1683701_smime_view_secinfo.patch

[Approval Request Comment]
Regression caused by (bug #): not a regression, or then it's a very old regression
User impact if declined: during composition View Message Security shows wrong details until the message is (auto) saved as a draft.
Testing completed (on c-c, etc.): on c-c
Risk to taking this patch (and alternatives if risky): not very risky, it's not a very commonly used UI which is why it was unnoticed for ages

Attachment #9200965 - Flags: approval-comm-esr78?
Attachment #9200965 - Flags: approval-comm-beta?

Comment on attachment 9200965 [details] [diff] [review]
bug1683701_smime_view_secinfo.patch

[Triage Comment]
Approved for beta

Attachment #9200965 - Flags: approval-comm-beta? → approval-comm-beta+

Comment on attachment 9200965 [details] [diff] [review]
bug1683701_smime_view_secinfo.patch

[Triage Comment]
Approved for esr78

Attachment #9200965 - Flags: approval-comm-esr78? → approval-comm-esr78+

My version of Thunderbird is now updated to 78.8.0. I no longer see the original problem that I reported. So as far as I can tell the issue is resolved for me. Thank you for your help.

Regressions: 1697252

This caused regression bug 1697252.

In my testing, the change in function showMessageComposeSecurityStatus() is sufficient to fix this issue.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: