GPGMail plugin users take note. According to a Hawk Wings reader, emails signed with the GPGMail plugin may not be as safe as you think.

He writes,

I thought you might like to know that there is a serious security flaw in the gpgmail plugin. I discovered the vulnerability a few weeks ago, though I’m not the first to do so.

The problem is that if gpgmail detects a valid signature for part of a message, it displays a notice to say that the message is signed, even if parts of it are not. As a result, it is possible for an attacker to add arbitrary data (extra text, attachments, etc) to a signed message and it will appear to the user that the whole message is signed.

There is more detailed discussion in the mailing list archives:

http://www.sente.ch/Lists/gpgmail-users/List.html

The username and password required to view the archives are “sente” and “sente”.

[Thanks, Nicholas]privacy, digital signatures, security, mail.app, apple mail, plugins, GPGMail

Similar Posts:

• Fix for “GPGMail unread messages” bug
• More security flaws in Mac OSX
• GPGMail 1.1.2
• Forward only selected attachments
• 10.4.6: Mail, GPGMail and MailStamps issues

Tags: Apple Mail, digital signatures, GPGMail, mail.app, plugins, privacy, security

This entry was posted on Tuesday, 18th July, 2006 at 10:15 pm and is filed under Apple Mail Plug-ins. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.