Open Bug 1811003 Opened 3 years ago Updated 1 year ago

Total incorrect statement in OpenPGP icon for SHA1 PGP signed mails.

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
Thunderbird 102
Type:
defect

Tracking

(thunderbird_esr115 affected)

Status:
REOPENED
Tracking Flags:
Tracking Status
thunderbird_esr115 --- affected

People

(Reporter: super.dukefb1, Assigned: KaiE)

References

Details

Attachments

(2 files)

Incorrect statement in OpenPGP icon.
273.89 KB, image/jpeg
Details
Bug 1811003 - Don't abort processing of S/MIME signatures very early to allow better error messages. r=mkmelin
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Steps to reproduce:

Received and opened the sha1 openpgp signed mail.
Click the OpenPGP icon.

Actual results:

The statement in the OpenPGP icon claimed that this mail has been corrupted or has been modified by someone else. But this statement is NOT CORRECT.

Expected results:

Because this signed sha1 OpenPGP mail was verified good in Enigmail and Kleopatra, the statement what Thunderbird made is total incorrect.

Thunderbird is better to still verify the mail and report good or bad, and also warn the user that sha1 is weak and not supported and might be risky...

Flags: needinfo?(kaie)

When working on bug 1532292, I was overly strict.

I had disabled the processing of messages with an SHA-1 S/MIME signature in two places:
(1) very early based on the micalg header
(2) later on after the signature check was done

The change (1) causes this general error message about the signature being invalid.

The change at (1) was unnecessary. The change (2) would have been sufficient.
If the code is allowed to run past (1) and arrive at (2), then we display the slightly better error message
"the message was signed using an encryption strength that this version of your software does not support"

Flags: needinfo?(kaie)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → kaie
Status: NEW → ASSIGNED
See Also: → 1847709

Note, an email that can be used to test can be found in bug 1856961 (smime.eml).
Also note that it isn't sufficient to use file/open with such an .eml file, we have a bug that causes S/MIME signatures in separate message windows to be not shown. (We have a separate bug report for that on file.)
So, in order to reproduce, download that message file, use file/open to view it, then use message/copy-to to copy the message to one of your mail folders, and then go to that folder and open the message in the folder. Then the signature status is shown.

Keywords: checkin-needed-tb

Hmm, this bug was really reported about OpenPGP. The fix is for S/MIME.

status-thunderbird_esr115: --- → affected
Target Milestone: --- → 121 Branch

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/d1f36652a62e
Don't abort processing of S/MIME signatures very early to allow better error messages. r=mkmelin

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

This is failing a test: https://treeherder.mozilla.org/jobs?repo=comm-central&selectedTaskRun=IgtL09kqSCWxrdBXUxbUug.0
Locally just a single run seems to succeed, but
./mach test --verify comm/mailnews/mime/test/unit/test_smime_decrypt.js fails within 10s for me. Succeeds with the patch backed out.

Backout by mkmelin@iki.fi: https://hg.mozilla.org/comm-central/rev/16dfd4ba9133 Backed out changeset d1f36652a62e for test failures in comm/mailnews/mime/test/unit/test_smime_decrypt.js
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 121 Branch → ---
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: