Re: [Tails-dev] #8999: Claws Mail leaks cleartext of encrypt…

Supprimer ce message

Répondre à ce message
Auteur: sajolida
Date:  
À: The Tails public development discussion list
Sujet: Re: [Tails-dev] #8999: Claws Mail leaks cleartext of encrypted email to the IMAP server
intrigeri:
> sajolida wrote (07 May 2015 13:03:23 GMT) :
>> intrigeri:
>>>> or, better, through the web interface of your email provider.
>>>
>>> I don't know why it would be better. I think I'd simply remove this
>>> 2nd option.
>
>> I remove the "better". I'll keep this as an option because it's what I
>> would do myself: as Claws Mail is known to do fishy stuff with my draft
>> folder, I would go to the web mail to check what's actually in there.
>
> OK... I see your level of distrust wrt. Claws Mail has reached "I
> don't believe it properly shows me the content of a remote IMAP
> folder". I can emphatize with this feeling, especially after all the
> work you've put into it. Still, I'm not aware of actual facts that
> back up this feeling enough to justify making this doc longer than it
> needs. Anyway, I'll stop insisting now, no big deal, I can totally
> live with the current situation :)


I fully agree with the facts. But the thing is that feelings do not
always need to be backed up by actual facts to be worth being taken into
consideration. Especially in usable security.

>>>> Use the OpenPGP Applet
>> [...]
>> I also end up with *three* of each folder on my
>> screen when doing that on Riseup (see screenshot for both
>> tails@??? and tails-dev@???) but only two on pimienta.org.
>> Maybe there's something wrong on Riseup.
>
> I think that's the result of a email client misconfiguration wrt.
> remote IMAP folders prefixing, that lead to create duplicate folders
> remotely. Perhaps that's been done in the past by another of us,
> perhaps you did it yourself when trying out all possible kinds of
> Claws Mail configuration. Some clients guess what's the remote folder
> name prefix (e.g. 'INBOX.') and hide it, some other clients don't try
> to be that clever.


Probably.

>> But how is this different from what we are already documenting on
>> https://tails.boum.org/doc/encryption_and_privacy/gpgapplet/public-key_cryptography.html?
>
> That's not intrisically different. However:
>
>  * our current doc for OpenPGP applet is aimed at webmail users, who
>    can't do PGP/MIME anyway
>  * the fact we document suboptimal practices for contexts that don't
>    support anything better is no good reason to extend such
>    recommandations to contexts that do support PGP/MIME :)


Ok.

>> Because we might have to mention something on this page...
>
> Yep.


→ #9356

>> I pushed my work into doc/9161-claws-advisory. Please have a second look
>> if you want.
>
> Done, looks good, great job!
>
> Before publishing, you'll want to check that the attached images don't
> show up in the Atom/RSS feeds.


Done and pushed!

--
sajolida