-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, 2018-05-16 at 11:44 +0200, Sandro Knauß wrote: > Hey,
Hi Sandro, thanks for the update on this. > > For S/MIME the situation is that it is a conceptional weakness in the > standard > to remove the target vector completely. Agreed, and I'm unsure what we can do about it in Debian right now, besides mitigation for backchannels. > > In KMail we have the best handling that we can get at the moment (with > default > settings). KMail never access resources from the internet without asking the > user or an explicit change of the default setting: > Settings > Configure KMail > Security > Reading > Allow messages to load > external references from the Internet Ok. Other clients like Evolution and Trojita also had an issue with DNS prefetching which could be re-enabled in Webkit. Not sure on what library KMail relies for HTML rending but it might be worth checking that too? See https://bugs.webkit.org/show_bug.cgi?id=182924 for the webkit bug (with links to the Evolution and Trojita ones). > > There are some small patches, that disable this setting for encrypted > messages, to enforce a user interaction: > > https://phabricator.kde.org/D12391 > https://phabricator.kde.org/D12393 > https://phabricator.kde.org/D12394 > > For me applying the patches makes sense to improve security for users, but > disabling the external resource loading completely would break workflows. > Those patches are applied for the following Debian packages, where the > setting > is used for everything: > libmessageviewer5 << 4:18.04.1 > kmail < 4:18.04.1 Thanks, that's good to know. > > As already mentioned, the underlying problem is the S/MIME conceptional > weaknes, that can't be fixed by those patches. > > The stack KMail is using for decryption is GPGME Qt backend that is > packaged > in gpgme1.0 for testing/sid and gpgmepp for stable and older. > > I'm not sure, how this should be handled in Debian correctly. I'm not sure either, to be honest. > > For a more detailed look for KMail and EFail see the dot.kde article: > > https://dot.kde.org/2018/05/15/efail-and-kmail That article indicates KMail uses GnuPG for S/MIME, which I find a bit weird. - -- Yves-Alexis -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlr8AQkACgkQ3rYcyPpX RFvIOQf/YLo7d/Fgy8CCPYH+rwiS0A+EwzXQZhCCykF4nk9lGH3uwQHGa9a4UdJT FuCBu3krxPUymczIsT+p0XCUBuindZ8wknMzkqJ9rRXGN0L3634Cau7CgSA4e84H bG1EMMfWxx2wwAjaK3dAXHF4gAUXRVfpKMdJEpidFiXZ9ixZtCKSyhM2AaF+IYli I8kVG6gzOxrEwo+2BbQOjo+e25be19HoktnQAFbBEafVIwcjQSrop5Y4A6cXkJ5P CT0tzc+VloCIgDwQHEkUCyM3rXJbkklgZWmTXhhDU1lMteZixnXU5uB2Gc5akW4q alumMVM6AXu9NzAe+PioFrChglkixQ== =2SgF -----END PGP SIGNATURE-----
