GNU bug report logs - #35617
mml secure mode should copy headers to inside the cryptographic payload

Previous Next

Package: emacs;

Reported by: Daniel Kahn Gillmor <dkg <at> fifthhorseman.net>

Date: Tue, 7 May 2019 05:22:02 UTC

Severity: wishlist

Tags: moreinfo, security

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 35617 in the body.
You can then email your comments to 35617 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#35617; Package emacs. (Tue, 07 May 2019 05:22:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg <at> fifthhorseman.net>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Tue, 07 May 2019 05:22:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg <at> fifthhorseman.net>
To: bug-gnu-emacs <at> gnu.org
Subject: mml secure mode should copy headers to inside the cryptographic
 payload
Date: Tue, 07 May 2019 01:20:43 -0400
[Message part 1 (text/plain, inline)]
In secure mode, during message composition, mml crafts a MIME message
before applying the necessary transformations for cryptographic
protections.

I think the function of preparing this stuff happens in
message-encode-message-body and in mml-generate-mime.

It would be great if those preparations were to copy all the headers
from *outside* of the cryptographic protections (the "cryptographic
envelope") to the top-level part *inside* the cryptographic envelope, so
that they're covered by the cryptographic protections.

The only header you probably don't want to copy is Content-Type, since
the Content-Type outside the cryptographic protections is pretty clearly
different from the one on the inside.

If this simple copy is done, then the subject line of a signed message
can be verified by the client (as can other headers, but Subject is
probably most relevant).

The request above doesn't keep the subject line secret in the case of an
encrypted message, but it sets the stage for doing so.  It is concretely
useful on its own in any case for signed-only messages, and has no
downsides.

Once the headers are regularly copied into the top-level part of the
cryptographic payload, the *outer* Subject for an encrypted message can
be replaced with "Subject Unavailable" -- then mail user agents like
enigmail and K-9 will be able to read the subject of encrypted messages,
but they won't leak outside.  I'll open that as a separate issue once
we've gotten the first part described here taken care of

So this particular feature request is *just* about outbound message
composition and only covers header protection for signed messages.

For incoming message handling of encrypted messages with protected
headers, I have a patch queue ready to handle that (for Subject: at
least) in notmuch-emacs.

          --dkg
[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Noam Postavsky <npostavs <at> gmail.com> to control <at> debbugs.gnu.org. (Fri, 21 Jun 2019 10:21:02 GMT) Full text and rfc822 format available.

Severity set to 'wishlist' from 'normal' Request was from Noam Postavsky <npostavs <at> gmail.com> to control <at> debbugs.gnu.org. (Fri, 21 Jun 2019 10:21:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#35617; Package emacs. (Mon, 26 Aug 2019 06:10:02 GMT) Full text and rfc822 format available.

Message #12 received at 35617 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Daniel Kahn Gillmor <dkg <at> fifthhorseman.net>
Cc: 35617 <at> debbugs.gnu.org
Subject: Re: bug#35617: mml secure mode should copy headers to inside the
 cryptographic payload
Date: Mon, 26 Aug 2019 08:09:23 +0200
Daniel Kahn Gillmor <dkg <at> fifthhorseman.net> writes:

> It would be great if those preparations were to copy all the headers
> from *outside* of the cryptographic protections (the "cryptographic
> envelope") to the top-level part *inside* the cryptographic envelope, so
> that they're covered by the cryptographic protections.

You mean repeat all the headers in the body of the message?

Is there an RFC for stashing headers in the body of messages and using
those instead of the real headers when reading?  Because if not, this
just sounds like it's going to be pretty confusing.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no




Added tag(s) moreinfo. Request was from Lars Ingebrigtsen <larsi <at> gnus.org> to control <at> debbugs.gnu.org. (Mon, 26 Aug 2019 06:10:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#35617; Package emacs. (Sun, 29 Sep 2019 14:13:02 GMT) Full text and rfc822 format available.

Message #17 received at 35617 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Daniel Kahn Gillmor <dkg <at> fifthhorseman.net>
Cc: 35617 <at> debbugs.gnu.org
Subject: Re: bug#35617: mml secure mode should copy headers to inside the
 cryptographic payload
Date: Sun, 29 Sep 2019 16:12:45 +0200
Lars Ingebrigtsen <larsi <at> gnus.org> writes:

> Daniel Kahn Gillmor <dkg <at> fifthhorseman.net> writes:
>
>> It would be great if those preparations were to copy all the headers
>> from *outside* of the cryptographic protections (the "cryptographic
>> envelope") to the top-level part *inside* the cryptographic envelope, so
>> that they're covered by the cryptographic protections.
>
> You mean repeat all the headers in the body of the message?
>
> Is there an RFC for stashing headers in the body of messages and using
> those instead of the real headers when reading?  Because if not, this
> just sounds like it's going to be pretty confusing.

More information was requested, but no response was given within a
month, so I'm closing this bug report.  If there is such an RFC, please
reopen this bug report.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no




bug closed, send any further explanations to 35617 <at> debbugs.gnu.org and Daniel Kahn Gillmor <dkg <at> fifthhorseman.net> Request was from Lars Ingebrigtsen <larsi <at> gnus.org> to control <at> debbugs.gnu.org. (Sun, 29 Sep 2019 14:13:02 GMT) Full text and rfc822 format available.

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Mon, 28 Oct 2019 11:24:06 GMT) Full text and rfc822 format available.

This bug report was last modified 4 years and 153 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.