Open Bug 864657 Opened 12 years ago Updated 3 years ago

S/MIME certificate accepted for wrong email address

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
17 Branch
Platform:
x86_64
Linux
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: mail, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 Build ID: 20130409194949 Steps to reproduce: Received an email from "john.doe@someuniversity.edu" with S/MIME signature. Actual results: S/MIME signature was shown as valid even though the certificate was for the address "John.Doe@SomeUniversity.edu". Expected results: Signature should have been marked invalid as "john.doe" != "John.Doe", which may be separate mail accounts at "someuniversity.edu". Apple Mail worked correctly in this case.
Component: Untriaged → Security

Alfred, the reporter is gone. Are you aware whether this condition still exists?

Flags: needinfo?(infofrommozilla)

Yes, we still don't care about the capitalization.

Tested with: Attachment 9180834 [details]
It shows a warning about a wrong address because it is a list posting (From: ub-newsletter@...).
It is signed by m.kloid@...
If I change the FROM(!) header address to M.Kloid@... it is shown as valid without a warning.

Flags: needinfo?(infofrommozilla)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.