[rwth-security] OpenPGP signature spoofing using HTML

16 Okt 2018


      Hallo zusammen,
sofern nicht selber schon gesehen/-lesen hier [0] FYI
"OpenPGP signature spoofing using HTML"
Hier am Beispile von Enigmail und Thunderbrid
"... when HTML mails are enabled this part of the user interface 
    can be fully controlled by the mail sender ...
    ...  an attacker can simply fake a signature by crafting an HTML 
    mail that will display the green bar ..."
Im weiteren werden Beispiele erklärt für
- KMail
    - Evolution
    - GPGTools plugin for Apple Mail (attack was not possible using the same technique)
    - mutt (text fakes: the output of the GPG verification command within the mail
    	Gegenmaßnahme: enabling colors for signed messages)
VG
Bernd
[0]
https://lwn.net/Articles/767717/
-- 

Bernd Kohler

IT Center
Abteilung: Netze
RWTH Aachen University
Wendlingweg 10
52074 Aachen
Tel: +49 241 80-29793
Fax: +49 241 80-22666
kohler@itc.rwth-aachen.de
https://www.itc.rwth-aachen.de

2024

2023

2022

2021

2020

2019

2018

[rwth-security] OpenPGP signature spoofing using HTML