Open Bug 1836264 Opened 1 year ago Updated 10 months ago

If an HTML email refers to remote elements, consider hiding OpenPGP/S/MIME signature status (because the signature cannot cover remote content)

Categories

(MailNews Core :: Security: OpenPGP, enhancement)

Product:
MailNews Core
Component:
Security: OpenPGP
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: KaiE, Unassigned)

References

Details

DKG suggested, if an HTML email refers to remote elements, and the message also contains a digital signature, then we should consider to treat the OpenPGP/S/MIME signature status as invalid (because we cannot control what's shown on those remote elements).

We don't load remote content in encrypted emails. If they care for security, they should encrypt as well.
For signed-only - well, it's still signed. We shouldn't say to users a proper signature is invalid. Can't have the cookie and eat it too - just use encryption and all is ok.

FYI, I should have mentioned that the suggestions need to be seen in the context of bug 1836262.

What DKG actually said, he suggests to simply not show drop any signature status indicator at all - if there's remote content reference - even if the signature is valid. (Sorry for being misleading in the initial comment.)

Based on that, the suggestion here is, treat the signature as "not really fully complete, because it cannot cover the remote content", and therefore treat is another scenario to trigger "hide signature signature" (as suggested in bug 1836262).

Summary: If an HTML email refers to remote elements, consider OpenPGP/S/MIME signature status as invalid → If an HTML email refers to remote elements, consider hiding OpenPGP/S/MIME signature status (because the signature cannot cover remote content)

I'm glad that remote content is not loaded in encrypted e-mails, that's a good choice.
This note is about signed messages whether they are encrypted or not, though.

If a signed message is displayed with remote content disabled then it could be considered to have a valid signature, since the only thing displayed is what is in the signed object itself.

If a signed message is displayed with remote content loaded, it should not be considered to have a valid signature, because the remote content is not covered by the signature itself.

If there is any reason to show that a missing signature is somehow "bad" for a given message (e.g. https://datatracker.ietf.org/doc/draft-dkg-lamps-expect-signed-mail/ ) then it seems to me like a signed message displayed with remote content loaded should be considered "bad".

You need to log in before you can comment on or make changes to this bug.