Closed
Bug 578295
Opened 14 years ago
Closed 10 years ago
S/MIME Signature not shown/verified in nested MIME-Message
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: maxka, Unassigned)
Details
(Keywords: testcase)
Attachments
(1 file)
11.41 KB,
application/octet-stream
|
Details |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100506 SUSE/3.5.10-0.1.1 Firefox/3.5.10 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.4) Gecko/20100608 SUSE/3.1.0 Lightning/1.0b2 Thunderbird/3.1 When S/MIME multipart/signed message is nested in another multipart message, the signature isn't verified. However, the .p7s part isn't shown, though. Reproducible: Didn't try Expected Results: Best expectation: The signature for the signed part is verified and success is indicated. Second to best: It is indicated, that there could be a signature, or showing the S/MIME-Signature as an attachment. here's an example, a signed message gone throuhg a mailing list with an additional signature: Content-Type: multipart/mixed; boundary="MIMEStream=_0+214171_17845734712750_3202552214" --MIMEStream=_0+214171_17845734712750_3202552214 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms060001040707080708060500" --------------ms060001040707080708060500 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable actual message, shown in the message-view window --------------ms060001040707080708060500 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature [base64] --------------ms060001040707080708060500-- --MIMEStream=_0+214171_17845734712750_3202552214 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline -- Actual mailman List footer, shown as attachment "part 1.2" AND shown inline, despite "show attachments inline" is unchecked. --MIMEStream=_0+214171_17845734712750_3202552214--
Updated•14 years ago
|
Component: Mail Window Front End → Security
QA Contact: front-end → thunderbird
Comment 1•14 years ago
|
||
The issue can be seen on the ietf-dkim@mipassoc.org mailing list. Look for recent messages from John Levine and Jesse Thompson. I will attach an example message.
Comment 2•14 years ago
|
||
Comment 3•10 years ago
|
||
Your message isn't signed if it's only partially signed. Particularly in the context of Thunderbird, if we claimed a message was signed if only part of it was signed, an attacker could attach signed contents to a message that never get displayed and give the appearance in the UI of a signed message.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•