Closed Bug 1814003 Opened 4 months ago Closed 4 months ago

OpenPGP key change notification should be immediately visible


(MailNews Core :: Security: OpenPGP, defect, P2)


(thunderbird_esr102+ fixed)

111 Branch
Tracking Status
thunderbird_esr102 + fixed


(Reporter: KaiE, Assigned: KaiE)




(Keywords: regression)


(2 files, 1 obsolete file)

When using OpenPGP, although not ideal, people are often tempted to use "optimistic acceptance" of a key. In other words, they might receive (or find) a correspondent's OpenPGP key, and decide to accept it, without performing fingerprint verification. (This is a form of TOFU, trust on first use.)

As long as the same correspondent keeps using the same key for signing emails (with or without additional encryption), the user may feel confident that they are still talking to the same person.

Problematic scenario:

What happens if an email is received that was signed with a new key (or simply has a new key attached) for the correspondent's email address?

It could mean that the sender has legitimately decided to use a fresh key (new computer, lost old key, etc.).

Or it could mean that an attacker is sending an email with a falsified email sender header, and has a fake key in the victim's name attached. (In the hope that the recipient will import and accept that new fake key, and start using it for encryption, enabling the attacker to read those email.)


In the past, I had introduced a warning message for that scenario.

We are able to detect that scenario, and immediately notify the user that something unusual is going on with a received email.

The text of that warning is:
Warning: The new OpenPGP public key in this message differs from the public keys that you previously accepted for { $email }.


This message is no longer shown immediately.
In bug 1647039, a change was made to hide all OpenPGP notifications behind the OpenPGP label. In order to see this warning message, you have to first click the OpenPGP label.

And when clicked, this warning text is combined and added after a different text, which makes it less noticeable. (It's shown after the text "this message claims to contain the sender's key".)

I consider this a functional regression. In my opinion, the original intention to immediately warn the user about such an incoming email, is no longer sufficiently achieved.

Expected behavior:

The warning text of string "openpgp-be-careful-new-key" should be immediately visible in the email (without having to click the OpenPGP label), and it should be shown separately from other information text.

Summary: OpenPGP key change notification isn't immediately visible → OpenPGP key change notification should be immediately visible
Regressed by: 1647039
Assignee: nobody → kaie

I think we should backport this change to esr102. We'll need a slightly adjusted patch.

Attached patch 1814003-esr102.patch (obsolete) — Splinter Review
Attachment #9315546 - Attachment is obsolete: true
Target Milestone: --- → 111 Branch

Pushed by
OpenPGP key change notification should be immediately visible. r=aleca

Closed: 4 months ago
Resolution: --- → FIXED

Comment on attachment 9315548 [details] [diff] [review]

[Approval Request Comment]
Regression caused by (bug #): 1647039
User impact if declined: important notification not visible
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): seems low

Attachment #9315548 - Flags: approval-comm-esr102?

Comment on attachment 9315548 [details] [diff] [review]

[Triage Comment]
Approved for esr102

Attachment #9315548 - Flags: approval-comm-esr102? → approval-comm-esr102+
You need to log in before you can comment on or make changes to this bug.