OpenPGP key change notification should be immediately visible
Categories
(MailNews Core :: Security: OpenPGP, defect, P2)
Tracking
(thunderbird_esr102+ fixed)
People
(Reporter: KaiE, Assigned: KaiE)
References
(Regression)
Details
(Keywords: regression)
Attachments
(2 files, 1 obsolete file)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
3.55 KB,
patch
|
wsmwk
:
approval-comm-esr102+
|
Details | Diff | Splinter Review |
When using OpenPGP, although not ideal, people are often tempted to use "optimistic acceptance" of a key. In other words, they might receive (or find) a correspondent's OpenPGP key, and decide to accept it, without performing fingerprint verification. (This is a form of TOFU, trust on first use.)
As long as the same correspondent keeps using the same key for signing emails (with or without additional encryption), the user may feel confident that they are still talking to the same person.
Problematic scenario:
What happens if an email is received that was signed with a new key (or simply has a new key attached) for the correspondent's email address?
It could mean that the sender has legitimately decided to use a fresh key (new computer, lost old key, etc.).
Or it could mean that an attacker is sending an email with a falsified email sender header, and has a fake key in the victim's name attached. (In the hope that the recipient will import and accept that new fake key, and start using it for encryption, enabling the attacker to read those email.)
Intention:
In the past, I had introduced a warning message for that scenario.
We are able to detect that scenario, and immediately notify the user that something unusual is going on with a received email.
The text of that warning is:
Warning: The new OpenPGP public key in this message differs from the public keys that you previously accepted for { $email }.
(openpgp-be-careful-new-key)
Bug:
This message is no longer shown immediately.
In bug 1647039, a change was made to hide all OpenPGP notifications behind the OpenPGP label. In order to see this warning message, you have to first click the OpenPGP label.
And when clicked, this warning text is combined and added after a different text, which makes it less noticeable. (It's shown after the text "this message claims to contain the sender's key".)
I consider this a functional regression. In my opinion, the original intention to immediately warn the user about such an incoming email, is no longer sufficiently achieved.
Expected behavior:
The warning text of string "openpgp-be-careful-new-key" should be immediately visible in the email (without having to click the OpenPGP label), and it should be shown separately from other information text.
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 1•1 year ago
|
||
|
||
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 2•1 year ago
|
||
I think we should backport this change to esr102. We'll need a slightly adjusted patch.
|
|
Assignee | |
Comment 3•1 year ago
|
||
|
|
Assignee | |
Comment 4•1 year ago
|
||
|
||
Updated•1 year ago
|
Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/8e79481519c7
OpenPGP key change notification should be immediately visible. r=aleca
|
|
Assignee | |
Comment 6•1 year ago
|
||
Comment on attachment 9315548 [details] [diff] [review]
1814003-esr102-v2.patch
[Approval Request Comment]
Regression caused by (bug #): 1647039
User impact if declined: important notification not visible
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): seems low
|
||
Comment 7•1 year ago
|
||
Comment on attachment 9315548 [details] [diff] [review]
1814003-esr102-v2.patch
[Triage Comment]
Approved for esr102
|
||
Comment 8•1 year ago
|
||
| bugherder uplift | ||
Thunderbird 102.9.0:
https://hg.mozilla.org/releases/comm-esr102/rev/b944ec309fe0
Description
•