Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 Aug 2014 08:28:33 +0200
From: Noel Kuntze <noel@...ilie-kuntze.de>
To: oss-security@...ts.openwall.com
Subject: Re: Enigmail warning

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Henri,

I'm using Thunderbird 31.0 with Enigmail 1.7 and can't reproduce that issue.
I'm on Arch Linux, what OS are you using? Also, please state any specialties.

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 18.08.2014 um 08:22 schrieb Henri Salo:
> Please read: http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/
> 
> Quote from thread below:
> 
> Enigmail 1.7 is completely broken for my purposes.
> 
> Steps to reproduce the problem:
> 
> 1) Write an email in TB.
> 2) Ensure "Force encryption" in Enigmail.
> 3) Ensure "Force signing" in Enigmail.
> 4) Recheck encryption and signing settings... OK.
> 5) Send the email.
> 6) Look at the received email. OOPS. It is NOT signed and NOT encrypted.
> 
> Sorry to say this so directly, but an encryption system, which CONFIRMS
> to the user in it's graphical user interface on two different places
> that it will encrypt AND THEN SENDS THE EMAIL WITHOUT ANY ENCRYPTION IN
> PLAIN TEXT ... is just the BIGGEST IMAGINABLE CATASTROPHE.
> 
> Sorry for my profane language but there is simply no excuse for such
> bullshit.
> 
> I am currently preparing a crypto class for journalists next week to
> teach them how to use safe email.
> 
> HOW am I going to explain that? A system tells the user in a separate
> window as well as in a menu line that everything will be encrypted but
> then it simply FORGOT to ENCRYPT and, ooops, their report will be
> intercepted and their source will be tortured ?
> 
> Ok...let's see....maybe there is some magic incompatibility with the TB
> or OS version or the specific configuration I used or whatever... As a
> computer scientist I can imagine many bug-explanations.
> 
> Good that I am just a computer scientist. As a serious user (dissident,
> whistle-blower, diplomatic or military user) I would now be waiting for
> the bad guys come and get me with their water-board.
> 
> Still as a computer scientist I need an answer to which system I will
> teach in my class next week. Command-line PGP ?!?
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJT8Z0PAAoJEDg5KY9j7GZYXlQP/Rp2rcj0Tybu56WuVl8UVQtO
65c5XE09o0A7WEAnt71i0aWxydl7rGMweU0vNcsP3UZ/aYRDkR3SwtX2lq+z3AE3
7i3vhsj45P20l1+fWieiL8inyxDMEgOtCX00vTQIIFoNxkTdfiMZC1qwWwRRVksL
a/WYxafEHt0a91AanhrUvMpgIp8kXH2e0XPCfgFafcm2iKHkmuLU9wSe2AsFXZtd
39Y526EvPiYtCY2uxD85Rh9pYMRTecDcpewqnCzhDbMT02qI5DFRINBgtUOCQsPI
eHZyORKe88cw1u/u7bMbO4IYjUWWFrPWl8Jiy1CoFQJMkm/W5JQw1yavIMCVBW6M
mNb+oH6wL5N6vClvB7o7+nStbHY3i7qt3BVwusOMK3I8+tcIS2NONB1DdZgQnESh
s9QAQ3tXvwZC/GWxZ//qwd+/6yiidVCRPBv0al4uHkZB2C/TmxIpjSWAHDF0eHSG
0RoR34DhLXVJF31Gmz7fmUAy5sLd05d0UoHaAB8eErazOvxRqy8Xh3bWZQUPVb+p
LpVPj/ZvRllTiVi/OPpvzSm82cWy+6MJTZDnswZC6cO/iW5VL9hf2X3OcKt7mWOF
yykejM9KxjpUIP2HaBvjgA84e5mcwE6QO7kwI7fVQ5GDHykrAKOE14WjcALK/W6y
OEGJe5cXbEt6WV53JAKV
=z7+c
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ