[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kmail-devel
Subject:    Bug#4148: "Privacy bug": mail may be sent unencrypted w/o notice
From:       Malte Starostik <starosti () zedat ! fu-berlin ! de>
Date:       2000-05-28 7:43:11
[Download RAW message or body]

Package: kmail
Version: 1.1.48 (KDE 1.90 Beta >= 20000517)
Severity: grave

PGP, at least v. 6.5.1i asks for confirmation when you're about to encrypt with an
untrusted puplic key. I consider it a design flaw in PGP that this confirmation
is requested even in batch mode. But anyway, KMail IMHO reacts in an
unacceptible way:
If you select to encrypt a message and the recipient's public key is "untrusted",
the mail will be sent *unencrypted* without the slightest warning.
I could imagine that the same might happen when there are other problems,
not sure though. I suggest to check if PGP's output is really an encrypted
message and else give the user a chance to abort.
Thanks,
-Malte

[prev in list] [next in list] [prev in thread] [next in thread]