From kmail-devel Wed Sep 18 21:14:05 2002 From: Ingo =?iso-8859-15?q?Kl=F6cker?= Date: Wed, 18 Sep 2002 21:14:05 +0000 To: kmail-devel Subject: Re: [Bug 48014] KMail consider wrongly that all HTML messages are insecure (red) when in secure prof X-MARC-Message: https://marc.info/?l=kmail-devel&m=103238540120558 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 18 September 2002 21:28, Yannick Koehler wrote: > Le September 18, 2002 03:12 pm, Karl-Heinz Zimmer a =E9crit: / On > September > > > You are noth right and wrong: > > > > Yes, there is nothing insecure in terms that such messages cannot > > harm your computer equipment (most likely). > > > > No, these messages _are_ insecure since they can make you err: they > > can pretend to be signed by somebody else and they can pretend that > > this signature was sucessfully verified by your KMail. > > > > Please see my other message in this thread, I *must* get some slpee > > now, otherwise I fall from my chair. :-D > > Which other message? This is the first message I see outside the bug > entry. This is the other message Karl Heinz wrote: =3D=3D=3D=3D=3D=3D=3D On Wednesday 18 September 2002 21:06, Karl-Heinz Zimmer wrote: > Problem is that a bad sender could easily produce an HTML message > looking exactly the same like a signed message that was sucessfully > verified by KMail. > > Thus (s)he could make the recipient(s) think that YES, it IS the boss > who sent you this terrible message. :-D > > By faking the colored table KMail puts around a signed message and > by faking the "Good signature." comment there the sender would > pretend to be somebody else. > > Ths recipient (if having HTML enabled) would have no chance to > distinguish between such fake messages and between the status > information added by KMail after verifying a signature. > > Therefor we have the colorbar: It is completely independend of the > HTML viewer displaying the message content, it is a separate widget > hown to the left of the viewer - so it cannot be faked by HTML > content _in_ the viewer. > > Now the users _sees_ that this is an HTML message and will not trust > any nicely colored green table frames shown there since (s)he knows > that this was _not_ produced by KMail but by the sender. =3D=3D=3D=3D=3D=3D=3D=3D > Please explain to me what you mean by "they can pretend to be > signed by somebody else and they can pretend that this signature was > successfully verified by your KMail." In the context that this mail > is displayed to me in ascii. You are right. When the HTML message is displayed in ascii then we=20 probably shouldn't show the red HTML message. Regards, Ingo =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9iOydGnR+RTDgudgRAufHAJ4zEZ6jjovu8YHNettUqu0A6iHszQCfdlw6 XwbHQ4EXWzqhjWqUbV0LaTI=3D =3DUqaf =2D----END PGP SIGNATURE----- _______________________________________________ KMail Developers mailing list kmail@mail.kde.org http://mail.kde.org/mailman/listinfo/kmail