From: Rob Browning <rlb@defaultvalue.org>
To: bug-gnu-emacs@gnu.org
Cc: 745553-forwarded@bugs.debian.org,
Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
745553@bugs.debian.org
Subject: Bug#745553: emacs24-el: mml2015-always-trust should default to nil, not t
Date: Thu, 24 Apr 2014 14:12:38 -0500 [thread overview]
Message-ID: <877g6eilsp.fsf@trouble.defaultvalue.org> (raw)
In-Reply-To: <20140422190613.18043.21415.reportbug@alice.fifthhorseman.net>
[If possible, please preserve the 745553-forwarded address in any replies.]
This bug was filed recently, and I suspect it might be something you'd
like to discuss upstream.
Thanks
Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
> Package: emacs24-el
> Version: 24.3+1-2
> Severity: normal
>
> Hi emacs maintainers!
>
> in
>
> /usr/share/emacs/24.3/lisp/gnus/mml2015.el.gz
>
> i see this variable definition:
>
> (defcustom mml2015-always-trust t
> "If t, GnuPG skip key validation on encryption."
> :group 'mime-security
> :type 'boolean)
>
> This is a security risk for users of encrypted mail. i believe it
> should be set to nil by default.
>
> Here's why:
>
> Consider Alice, who has OpenPGP certificates for "Bob
> <bob@example.org>" and "Carol <carol@example.org>" in her keyring (in
> that order). She has certified them both, so there is one valid
> primary key for bob@example.org and one valid primary key for
> alice@example.org.
>
> Bob turns evil (or maybe his key is compromised) and he adds a new
> User ID: "Bob <carol@example.org>" to his OpenPGP cert. He publishes
> the update to the keyservers.
>
> Alice, following best practices, updates her keyring from the
> keyservers regularly.
>
> Alice's keyring now has two certs that have a "carol@example.org" user
> ID in them. One of them is valid, and the other one is not.
>
> Alice now composes a message to "Carol <carol@example.org>" and marks
> it with:
>
> <#secure method=pgpmime mode=signencrypt>
>
> As the message goes out, mml-mode just passes the e-mail address
> carol@example.org to gpg to encrypt the message body, and gpg uses the
> e-mail address to select a key. Since Bob's key is first in the
> keyring, it is the one that will be used.
>
> Bob then sneaks a peak at Carol's e-mail (maybe they're delivered to the
> same server, or he has a machine on the same network), catches the
> message in transit, and can decrypt the content, violating Alice's
> message confidentiality expectations.
>
> Please set mml2015-always-trust to default to "nil" instead of "t".
>
> --dkg
>
> -- System Information:
> Debian Release: jessie/sid
> APT prefers testing
> APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages emacs24-el depends on:
> ii emacs24-common 24.3+1-2
>
> emacs24-el recommends no packages.
>
> emacs24-el suggests no packages.
>
> -- debconf-show failed
>
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
next parent reply other threads:[~2014-04-24 19:12 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20140422190613.18043.21415.reportbug@alice.fifthhorseman.net>
2014-04-24 19:12 ` Rob Browning [this message]
2014-05-02 20:29 ` Bug#745553: emacs24-el: mml2015-always-trust should default to nil, not t Daniel Kahn Gillmor
2017-01-25 17:19 ` bug#17391: " Lars Ingebrigtsen
2017-01-25 20:09 ` bug#17338: " Jens Lechtenboerger
2017-01-25 20:30 ` Daniel Kahn Gillmor
2017-01-26 18:36 ` Jens Lechtenboerger
2017-01-26 19:34 ` Daiki Ueno
2017-01-26 23:17 ` bug#17338: " Daniel Kahn Gillmor
2017-01-27 2:49 ` Daiki Ueno
2017-01-27 2:49 ` bug#17338: " Daiki Ueno
2017-01-26 23:13 ` Daniel Kahn Gillmor
2017-01-27 6:45 ` Jens Lechtenboerger
2017-01-26 23:19 ` Daniel Kahn Gillmor
2022-02-20 13:11 ` bug#17338: " Lars Ingebrigtsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877g6eilsp.fsf@trouble.defaultvalue.org \
--to=rlb@defaultvalue.org \
--cc=745553-forwarded@bugs.debian.org \
--cc=745553@bugs.debian.org \
--cc=bug-gnu-emacs@gnu.org \
--cc=dkg@fifthhorseman.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).