Closed Bug 1865069 Opened 2 years ago Closed 2 years ago

Add an extra clock warn icon to mails with old PGP signatures (<2h)

Categories

(MailNews Core :: Security: OpenPGP, enhancement)

Product:
MailNews Core
Component:
Security: OpenPGP
Version:
Thunderbird 115
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: pierre+mozilla, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Steps to reproduce:

In my organisation, we are signing a bunch of automatic mails for our users to help users identify phishing attempts.
Some mails are dynamically signed, but some other "reminders" mails are statically signed once, and sent periodically over cron jobs.

For this reminders, my thunderbird was showing a good signature the first time it was sent by the cronjob, but the following day, it was shown as invalid.

I found aftewards, that the #1863705 bugreport is describing the Problem, but I think there is still room for improvement in the UI.

Actual results:

The static signed mail is shown as invalid if sent more than 1h59m after it was signed. Other MUAs are showing the signature as valid.

Expected results:

The signature should be shown as valid since it is valid.
I understand the risk of "replay" attack, but I think a small "clock" warning symbol next/on top of the green checkmark "signature is valid" would be more helpful than defining the signature as invalid.
A message explaining the risk of a replay attack could be added in the detailed informations about the signature.

Bug 1863705 takes care of the better explanation message.

Thanks for the suggestion, but I don't think we can add any more icons here. Unfortunately signatures are not well understood by people in general to begin with... further icon overload won't be helpful with that.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX

I understand the problem about adding more strange icons to the UI. It was the only Idea which came to me when facing this problem.
I also find a better explaination text good.

However, I'm not happy with the classification of an old signature as invalid.

gnupg considers the same message as valid, and so do other mail clients which are using gpg directly, that why I think it's a good idea to only warn the user, that the message was signed "long" before the mail was actually sent.

I see other use cases, where signing a message could differ from the time of sending it.

  • A person having their pgp keys on an air-gapped machine, and copying signed messages out of it to send them from another computer.
  • other reasons of postponing the sending of signed messages (stuff like "if you get this email, I am dead")

By the way, I would love to know how the 2 hours delay was decided for thunderbird or if it comes from some other openpgp best practices, and if other pgp integrations are doing the same

You need to log in before you can comment on or make changes to this bug.