https://bugs.kde.org/show_bug.cgi?id=398454
Bug ID: 398454 Summary: GPG signatures can be faked with HTML/CSS Product: kmail2 Version: unspecified Platform: Other OS: Linux Status: UNCONFIRMED Severity: normal Priority: NOR Component: crypto Assignee: kdepim-b...@kde.org Reporter: ha...@hboeck.de Target Milestone: --- Created attachment 114876 --> https://bugs.kde.org/attachment.cgi?id=114876&action=edit sample mail "signed" with CSS/HTML In kmail signed mails are indicated by a green border around the mail content. This can be almost perfectly simulated by rebuilding that border with an HTML table. I've attached an example and screenshots of both a fake and a real mail (they're visually identical, except for some minor font rendering details that are invisible when not zooming in). In the message list there's a small symbol indicating a signed message, so there they can be distinguished, although I doubt anyone will notice. If a message is opened in its own window there's no way to distinguish fake from real. The problem here is with the fact that a security indicator is part of an "attacker-controlled" space, i.e. the content of a mail that gives the other party extensive layout options. -- You are receiving this mail because: You are watching all bug changes.