Closed Bug 274517 Opened 20 years ago Closed 19 years ago

No Warning shown when mail signed by Invalid/Untrusted S/MIME x.509

Categories

(Thunderbird :: General, defect)

Product:
Thunderbird
Component:
General
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED EXPIRED

People

(Reporter: johnmoore3rd, Assigned: mscott)

Details

(Whiteboard: [sg:nse]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Mail signed with Untrusted/Invalid x.509 is opened without Warning to the User
that a risk is being taken.  While T-Bird does not import the cert into
Certificate Store, User should also be notified that the signing certificate
suffers from issues/problems.

Reproducible: Always

Steps to Reproduce:
1.Open "Authorities" in Cert. Store & select a cert.

2.Rt click, select Edit and remove trust.

3.Send email to T-Bird client.  The client will be able to open the Untrusted
cert signed email without becoming aware that T-Bird isn't importing the cert
due to Trust issues.

Actual Results:  
Fortunately nothing, I trusted the Sender & had requested the x.509 for import
purposes.  I was very frustrated to learn that their cert had not been imported.
 That's when I discovered the problem.  I hadn't set the trust level on CAcert
Root in my system.  However, several of us "played" with this Security hole for
about an hour.

Expected Results:  
Popped Up a warning (as Firefox does) that an Untrusted/Invalid certificate has
been used.  Then offer the User the option of proceeding to open email at their
own risk after verifying the Sender, or "bounce" the email.
reporter: while this is a bug, i don't feel it's a security issue that is served
in any way by keeping it confidential (you do lose potential hackers who might
otherwise fix it). the only reason i'm not removing the flag is that this turned
up in only one of two buglists that i asked bugzilla for and i'm trying to get a
bug about those lists resolved before i change the state of the lists.
(unfortunately, for all i know merely commenting in the bug could change its
state, but here goes.)
Don't we show the "broken signature" icon in the message header bar for this case?
Group: security
Whiteboard: [sg:nse]
This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

This bug has been automatically resolved after a period of inactivity (see above
comment). If anyone thinks this is incorrect, they should feel free to reopen it.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → EXPIRED
You need to log in before you can comment on or make changes to this bug.