Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • evolution evolution
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 333
    • Issues 333
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 0
    • Merge requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOMEGNOME
  • evolutionevolution
  • Issues
  • #120
Closed
Open
Issue created Sep 09, 2018 by Hanno Böck@hanno

Show security bar above message headers

For GPG-signed messages Evolution shows a green (for fully trusted keys) bar below the mail. It is possible to very closely simulate this look with an HTML mail and using embedded images.

I'll attach an example mail and two screenshots comparing a real and a fake message.

There are some imperfections in this attack:

  • Evolution shows a "Security: GPG signed" pseudo-header. (This is hard to fake due to the border that cannot be controlled.)
  • The border is gray, not green (hardly visible).
  • The border of the message window goes around the "Valid signature" box.

(Also in my example I haven't managed to match the exact default font, but this is obviously just a matter of trying harder.)

Despite the imperfections I think most users would fall for such a "signed" mail.

The problem is an UI one. Security indicators should not be displayed at a place in the UI that is attacker controlled.evolution-fake

evolution-real

evolution-redressing-mail.txt

Edited Oct 22, 2018 by Milan Crha
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking