GPGMail plugin users take note. According to a Hawk Wings reader, emails signed with the GPGMail plugin may not be as safe as you think.
I thought you might like to know that there is a serious security flaw in the gpgmail plugin. I discovered the vulnerability a few weeks ago, though I’m not the first to do so.
The problem is that if gpgmail detects a valid signature for part of a message, it displays a notice to say that the message is signed, even if parts of it are not. As a result, it is possible for an attacker to add arbitrary data (extra text, attachments, etc) to a signed message and it will appear to the user that the whole message is signed.
There is more detailed discussion in the mailing list archives:
The username and password required to view the archives are “sente” and “sente”.
Tags: Apple Mail, digital signatures, GPGMail, mail.app, plugins, privacy, security