[prev in list] [next in list] [prev in thread] [next in thread]
List: kmail-devel
Subject: Re: [Bug 48014] KMail consider wrongly that all HTML messages are insecure (red) when in secure prof
From: Ingo =?iso-8859-15?q?Kl=F6cker?= <kloecker () kde ! org>
Date: 2002-09-18 21:14:05
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 18 September 2002 21:28, Yannick Koehler wrote:
> Le September 18, 2002 03:12 pm, Karl-Heinz Zimmer a écrit: / On
> September
>
> > You are noth right and wrong:
> >
> > Yes, there is nothing insecure in terms that such messages cannot
> > harm your computer equipment (most likely).
> >
> > No, these messages _are_ insecure since they can make you err: they
> > can pretend to be signed by somebody else and they can pretend that
> > this signature was sucessfully verified by your KMail.
> >
> > Please see my other message in this thread, I *must* get some slpee
> > now, otherwise I fall from my chair. :-D
>
> Which other message? This is the first message I see outside the bug
> entry.
This is the other message Karl Heinz wrote:
=======
On Wednesday 18 September 2002 21:06, Karl-Heinz Zimmer wrote:
> Problem is that a bad sender could easily produce an HTML message
> looking exactly the same like a signed message that was sucessfully
> verified by KMail.
>
> Thus (s)he could make the recipient(s) think that YES, it IS the boss
> who sent you this terrible message. :-D
>
> By faking the colored table KMail puts around a signed message and
> by faking the "Good signature." comment there the sender would
> pretend to be somebody else.
>
> Ths recipient (if having HTML enabled) would have no chance to
> distinguish between such fake messages and between the status
> information added by KMail after verifying a signature.
>
> Therefor we have the colorbar: It is completely independend of the
> HTML viewer displaying the message content, it is a separate widget
> hown to the left of the viewer - so it cannot be faked by HTML
> content _in_ the viewer.
>
> Now the users _sees_ that this is an HTML message and will not trust
> any nicely colored green table frames shown there since (s)he knows
> that this was _not_ produced by KMail but by the sender.
========
> Please explain to me what you mean by "they can pretend to be
> signed by somebody else and they can pretend that this signature was
> successfully verified by your KMail." In the context that this mail
> is displayed to me in ascii.
You are right. When the HTML message is displayed in ascii then we
probably shouldn't show the red HTML message.
Regards,
Ingo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9iOydGnR+RTDgudgRAufHAJ4zEZ6jjovu8YHNettUqu0A6iHszQCfdlw6
XwbHQ4EXWzqhjWqUbV0LaTI=
=Uqaf
-----END PGP SIGNATURE-----
_______________________________________________
KMail Developers mailing list
kmail@mail.kde.org
http://mail.kde.org/mailman/listinfo/kmail
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic