Re: [Tails-dev] [Tails-support] PGP MIME is insecure (for me…

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: tails-dev
CC: User support for Tails, Jeff Anderson
Subject: Re: [Tails-dev] [Tails-support] PGP MIME is insecure (for me)
Hi,

Jeff Anderson wrote (24 Feb 2015 03:54:31 GMT) :
> I was using Claws with PGP MIME. I am setup to use IMAP (not POP). I
> prepared a message and set it to encrypt the content. Then I selected "Send
> Later". The message went into the Queue folder.

[...]
> I worry that this is viewable on the mail server side... so I login through
> Squirlmail web interface. I go to the Queue folder. I see the content of my
> email and it is not encrypted.


Ouch!

> I think the above is a security issue. It means that any system
> administrator on the mail server side should be able to extract the
> plaintext Body content from all my emails.


Indeed. Redirecting the discussion to tails-dev@???, then.
Please drop tails-support@ from the Cc list on next replies.

Jeff, do you read that list or should we keep Cc'ing you?

> My solution was to switch from "PGP MIME" to "PGP Inline" for the Privacy
> preference in the Mail Account settings.


Unfortunately PGP inline has its own share of issues (lack of
standardization, inter-operability problems, basically unusable when
mixing different char encodings, etc.) so I'd rather avoid make it
the default.

> I am wondering if this issue is mentioned anywhere in the Tails documents
> online. As I think this is a pretty big hole for those expecting to use
> Claws and PGP to safely encrypt content that cannot be viewed by a 3rd
> party.


Indeed, at the very least we should warn users about it. But let's
first try and find a nicer solution.

Is there a way to configure Claws Mail to use a different Queue
directory, e.g. a locally stored one instead of one that's
synchronized with the remote IMAP server? (As a beneficial
side-effect, this would also make sending email faster :)

> I appreciate your time,


Thanks a lot for the detailed report!

Cheers,
--
intrigeri