Closed Bug 578295 Opened 15 years ago Closed 11 years ago

S/MIME Signature not shown/verified in nested MIME-Message

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: maxka, Unassigned)

Details

(Keywords: testcase)

Attachments

(1 file)

example of how mailman nests smime signed messages in a way that causes thunderbird to be unable to verify the signature
11.41 KB, application/octet-stream
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100506 SUSE/3.5.10-0.1.1 Firefox/3.5.10 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.4) Gecko/20100608 SUSE/3.1.0 Lightning/1.0b2 Thunderbird/3.1 When S/MIME multipart/signed message is nested in another multipart message, the signature isn't verified. However, the .p7s part isn't shown, though. Reproducible: Didn't try Expected Results: Best expectation: The signature for the signed part is verified and success is indicated. Second to best: It is indicated, that there could be a signature, or showing the S/MIME-Signature as an attachment. here's an example, a signed message gone throuhg a mailing list with an additional signature: Content-Type: multipart/mixed; boundary="MIMEStream=_0+214171_17845734712750_3202552214" --MIMEStream=_0+214171_17845734712750_3202552214 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms060001040707080708060500" --------------ms060001040707080708060500 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable actual message, shown in the message-view window --------------ms060001040707080708060500 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature [base64] --------------ms060001040707080708060500-- --MIMEStream=_0+214171_17845734712750_3202552214 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline -- Actual mailman List footer, shown as attachment "part 1.2" AND shown inline, despite "show attachments inline" is unchecked. --MIMEStream=_0+214171_17845734712750_3202552214--
Component: Mail Window Front End → Security
QA Contact: front-end → thunderbird
The issue can be seen on the ietf-dkim@mipassoc.org mailing list. Look for recent messages from John Levine and Jesse Thompson. I will attach an example message.
Keywords: testcase
Your message isn't signed if it's only partially signed. Particularly in the context of Thunderbird, if we claimed a message was signed if only part of it was signed, an attacker could attach signed contents to a message that never get displayed and give the appearance in the UI of a signed message.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: