<div class="markdown">
<p dir="auto">On 2016-01-29 16:08:33 (+0100), Benny Kjær Nielsen <a href="mailto:mailinglist@freron.com">mailinglist@freron.com</a> wrote:</p>
<blockquote>
<p dir="auto">On 27 Jan 2016, at 23:56, Philip Paeps wrote:</p>
<blockquote>
<p dir="auto">How would I go about changing the style of partially signed messages? I am guessing it's something like this but with different <code>type=</code> and <code>subtype=</code> parameters.</p>
<p dir="auto">div.bodypart[type=message][subtype=rfc822] { }</p>
</blockquote>
<p dir="auto">No, that would target embedded emails (“Forward as Attachment”).</p>
<p dir="auto">[...]</p>
<p dir="auto">It was a quick hack to make sure that MailMate clearly indicates if someone has taken a signed email and extended its content with unsigned body part(s). This is essentially what often happens on the mailing list when the footer is added.</p>
</blockquote>
<p dir="auto">I really like this feature, quick hack or no! It's nice to be able to distinguish in a message with some parts signed and some parts not, which parts and signed (and whether I can trust them). The green/yellow/red borders around different parts of the message are great. Except with my stylesheet.css tinkering I got very low-contrast bright yellow on dim yellow.</p>
<p dir="auto">Note that this message is actually a good example: the Apple security mail you included was signed and MailMate shows exactly which parts are signed and which parts aren't. Excellent.</p>
<blockquote>
<p dir="auto">I've now changed it such that you can style it with a custom stylesheet. Look for <code>div.security</code> in the default stylesheet. I haven't changed how it looks (which is pretty ugly). You are welcome to share it if you come up with something better.</p>
</blockquote>
<p dir="auto">Thanks! I'll tinker with this some more (see if I can make the yellow on yellow go away) and share my diff against stylesheet.css in case anyone wants it.</p>
<blockquote>
<p dir="auto">At least it appears it's not possible to put the unsigned content before the signed content. It doesn't trigger a warning, but Apple Mail then simply ignores that the message has signed parts at all.</p>
</blockquote>
<p dir="auto">Arguably, being able to prepend or append data without clear indication that this has been done is equally bad. Imagine an email with a signed invoice which has been intercepted and mangled by an attacker to include "please pay XXX to our account YYYY" below the invoice. Contrived example perhaps, but it's Friday afternoon, I couldn't think of anything better.</p>
<blockquote>
<p dir="auto">I just realized that it <em>is</em> possible to make the signed part appear as an attachment. By providing a filename then it's even possible to make it appear as if it's some kind of failed logo. [...]</p>
</blockquote>
<p dir="auto">Oops. That is terrible. That makes it look like the whole message has been signed. If all you need to make a whole message look like it's signed by a trustworthy sender, is any trusted message from such a sender, you can cause a lot of trouble.</p>
<blockquote>
<p dir="auto">I haven't checked any other email clients, but I doubt it's a common issue. I'm guessing most email clients would just ignore that the email is signed and/or encrypted.</p>
</blockquote>
<p dir="auto">The only other client I have significant experience with is Mutt, which like MailMate tells you the status of each part of multipart messages. Something like:</p>
<pre><code>[-- Attachment #1 --]
[-- Type: multipart/signed, Encoding: 7bit, Size: 1.5K --]
[-- PGP output follows (current time: Fri Jan 29 16:30:28 2016) --]
This is the literal output from gpg --verify. Mutt allows you to
highlight based on regular expressions so it's easy to highlight
whether the signature is good or bad and what's wrong with it if
it's bad.
[-- End of PGP output --]
[-- The following data is signed --]
The signed part is here. If there are multiple signed parts, they
are individually delimited with [-- --] markers like this.
[-- End of signed data --]
[-- Attachment #2 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.1K --]
This would be a mailing list footer for instance.
</code></pre>
<p dir="auto">Mutt displays OpenPGP and S/MIME signed messages identically (only with the output from OpenSSL rather than GnuPG, obviously). It's pretty clear to identify which parts are signed and which parts aren't.</p>
<blockquote>
<p dir="auto">Also don't interpret it as me stating that MailMate is more secure than Apple Mail.</p>
</blockquote>
<p dir="auto">As far as PGP and S/MIME go, I think you're doing a much better job than Mail.app. It's very important to be able to tell which parts are signed and which parts aren't in a complex multipart message. Being able to make a whole message appear to be signed by including a signed attachment is simply terrible.</p>
<blockquote>
<p dir="auto">I have attached the example email if anyone wants to try it out in Apple Mail or other email clients. That should also test how MailMate handles it...</p>
</blockquote>
<p dir="auto">I've looked at this message in Mutt. It's pretty clear which part is signed and which part isn't. My Mutt doesn't have access to root certificates (I get very little S/MIME mail, and those people I get it from, are explicitly trusted) so it can't tell me anything about how trustworthy the signed part is, but it tells me which part it is.</p>
<pre><code>[-- Attachment #3: The world is going under tomorrow.eml --]
[-- Type: message/rfc822, Encoding: 7bit, Size: 7.3K --]
Date: Sun, 16 Jan 2013 16:31:36 -0800
[...]
Message-id: <9C3B25F9-EB27-4356-A1C5-782EBE70AD3F@apple.com>
[-- Attachment #1: logo.png --]
[-- Type: multipart/signed, Encoding: 7bit, Size: 6.6K --]
[-- OpenSSL output follows (current time: Fri Jan 29 16:35:20 2016) --]
[-- End of OpenSSL output --]
[-- The following data is signed --]
I’ve noticed that in some systems [...]
[-- End of signed data --]
[-- Attachment #2 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.1K --]
This text is unsigned. [...]
[-- Attachment #3: attachment.txt --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.1K --]
The same goes for attachments.
[-- Attachment #4 --]
[-- Type: text/plain, Encoding: base64, Size: 0.2K --]
(mailing list footer here)
</code></pre>
<blockquote>
<p dir="auto">...and this shows that MailMate does not like the <code>attachment</code> disposition of the <code>multipart/signed</code> body part. It is shown both inline (as it should) and as an attachment (which is shouldn't). Worse, clicking “Quick Look” shows the wrong attachment.</p>
</blockquote>
<p dir="auto">Oops. :-)</p>
<p dir="auto">Once upon a time, there was a MIME test suite on the web at <a href="http://www.imc.org/mimetest/">http://www.imc.org/mimetest/</a>. It's been taken offline because it was being abused by spammers. Perhaps you can still find it on archive.org though. If not: one of its authors uses MailMate and is subscribed to this mailing list (small world). Perhaps he has a local copy. ;-)</p>
<blockquote>
<p dir="auto">Hold down ⌥ when clicking “Check Now” in the Software Update preferences pane to get the test release.</p>
</blockquote>
<p dir="auto">Excellent! Many thanks!</p>
<blockquote>
<blockquote>
<p dir="auto">A few more comments in stylesheet.css would be helpful. :)</p>
</blockquote>
<p dir="auto">Apparently I'm too busy ranting on the mailing list :-)</p>
</blockquote>
<p dir="auto">I know how you feel. :)</p>
<p dir="auto">Philip</p>
<p dir="auto">-- <br>
Philip Paeps<br>
Senior Reality Engineer<br>
Ministry of Information</p>
</div>