GPGMail plugin users take note. According to a Hawk Wings reader, emails signed with the GPGMail plugin may not be as safe as you think.

He writes,

I thought you might like to know that there is a serious security flaw in the gpgmail plugin. I discovered the vulnerability a few weeks ago, though I’m not the first to do so.

The problem is that if gpgmail detects a valid signature for part of a message, it displays a notice to say that the message is signed, even if parts of it are not. As a result, it is possible for an attacker to add arbitrary data (extra text, attachments, etc) to a signed message and it will appear to the user that the whole message is signed.

There is more detailed discussion in the mailing list archives:

http://www.sente.ch/Lists/gpgmail-users/List.html

The username and password required to view the archives are “sente” and “sente”.

[Thanks, Nicholas]

Related posts

• NetShred X 3.17: Thunderbird, Camino support
• Encryption tutorial for Mail.app
• You’re invited: Outlook meeting plugin for Mail
• WideScreenMail plugin gets two-line preview
• WideMail 0.1.0: Real Widescreen Preview Column

The 10.4.6 update has been released.

According to the release notes , the only improvement for Mail.app “resolves an issue in which Mail could unexpectedly quit when lowering the quote level within a reply message”, something I’ve never noticed.

A user in the Apple Discussions reports that the update breaks GPGMail, so that Mail crashes when an encrypted message is selected.

On my PowerBook, it also overwrote the Panther Mail icons inserted by Mail Stamps, which gave me a fright.

Fortunately, running Mail Stamps after the update has removed the lozenge-shaped buttons again.

Related posts

• Why Apple Mail makes Leander smile
• What’s new for Mailapp in 10.4.8
• Snow Leopard’s shrinking mail.app: Mystery solved
• Mail.app on Mac trumps Ubuntu hands down
• Apple heavies Mail Stamps developer

Thomas at n00.be has discovered a fix for the persistent unread messages bug that strikes some Mail.app users with Sen:te’s GPGMail installed.

You need to tweak GPGMail’s settings for automatic authentication and decryption. The correct settings are outlined in an archived email on the GPGMail User mailing list.

Incidentally, you can find another fix for the “unread message count” bug (unrelated to GPGMail, but related to your Mailbox Behaviour settings) in this thread on the Apple Discussion Board.

Related posts

• The puzzle of extra returns in Mail.app replies
• Ten ways to make Mail.app better
• Security vulnerability in GPGMail
• Security flaw with scripts in Mail.app
• Savaging Mail’s sending silliness

GPGMail is a plug-in that enables the sending and receiving of encrypted emails in Apple Mail. It works in Tiger and Panther, and acts as a front-end to macgpg, the Mac port of an open source encryption engine, gpg. You will need to install macgpg first.

After installing GPGMail, you will find a new sub-menu under the Message menu, from which you can manage your digital signatures and other encryption options. The developer’s website provides a list of the plug-in’s limitations, including the fact that encrypted messages are just stored by Apple Mail and not indexed.

It is freeware and is available from the developer’s website.

Joar Winfors provides some background on his site about using digital signatures in Apple Mail.

UPDATE: GPGMail 1.1.2 released, 5 February 2006.

Related posts

• GPGMail 1.1.2
• Wide-screen hack for Yojimbo
• Wide screen plugin for Leopard Mail released
• Weekly Update
• Weekly Update