Show security bar above message headers
For GPG-signed messages Evolution shows a green (for fully trusted keys) bar below the mail. It is possible to very closely simulate this look with an HTML mail and using embedded images.
I'll attach an example mail and two screenshots comparing a real and a fake message.
There are some imperfections in this attack:
- Evolution shows a "Security: GPG signed" pseudo-header. (This is hard to fake due to the border that cannot be controlled.)
- The border is gray, not green (hardly visible).
- The border of the message window goes around the "Valid signature" box.
(Also in my example I haven't managed to match the exact default font, but this is obviously just a matter of trying harder.)
Despite the imperfections I think most users would fall for such a "signed" mail.
The problem is an UI one. Security indicators should not be displayed at a place in the UI that is attacker controlled.
Edited by Milan Crha