[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#17338: Bug#745553: emacs24-el: mml2015-always-trust should default t

From: Rob Browning
Subject: bug#17338: Bug#745553: emacs24-el: mml2015-always-trust should default to nil, not t
Date: Thu, 24 Apr 2014 14:12:38 -0500
User-agent: Notmuch/0.17+133~g5348d19 (http://notmuchmail.org) Emacs/24.3.1 (x86_64-pc-linux-gnu)

[If possible, please preserve the 745553-forwarded address in any replies.]

This bug was filed recently, and I suspect it might be something you'd
like to discuss upstream.


Daniel Kahn Gillmor <address@hidden> writes:

> Package: emacs24-el
> Version: 24.3+1-2
> Severity: normal
> Hi emacs maintainers!
> in 
> /usr/share/emacs/24.3/lisp/gnus/mml2015.el.gz
> i see this variable definition:
> (defcustom mml2015-always-trust t
>   "If t, GnuPG skip key validation on encryption."
>   :group 'mime-security
>   :type 'boolean)
> This is a security risk for users of encrypted mail.  i believe it
> should be set to nil by default.
> Here's why:
> Consider Alice, who has OpenPGP certificates for "Bob
> <address@hidden>" and "Carol <address@hidden>" in her keyring (in
> that order).  She has certified them both, so there is one valid
> primary key for address@hidden and one valid primary key for
> address@hidden
> Bob turns evil (or maybe his key is compromised) and he adds a new
> User ID: "Bob <address@hidden>" to his OpenPGP cert.  He publishes
> the update to the keyservers.
> Alice, following best practices, updates her keyring from the
> keyservers regularly.
> Alice's keyring now has two certs that have a "address@hidden" user
> ID in them.  One of them is valid, and the other one is not.
> Alice now composes a message to "Carol <address@hidden>" and marks
> it with:
>  <#secure method=pgpmime mode=signencrypt>
> As the message goes out, mml-mode just passes the e-mail address
> address@hidden to gpg to encrypt the message body, and gpg uses the
> e-mail address to select a key.  Since Bob's key is first in the
> keyring, it is the one that will be used.
> Bob then sneaks a peak at Carol's e-mail (maybe they're delivered to the
> same server, or he has a machine on the same network), catches the
> message in transit, and can decrypt the content, violating Alice's
> message confidentiality expectations.
> Please set mml2015-always-trust to default to "nil" instead of "t".
>         --dkg
> -- System Information:
> Debian Release: jessie/sid
>   APT prefers testing
>   APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Versions of packages emacs24-el depends on:
> ii  emacs24-common  24.3+1-2
> emacs24-el recommends no packages.
> emacs24-el suggests no packages.
> -- debconf-show failed

Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

reply via email to

[Prev in Thread] Current Thread [Next in Thread]