-
-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move display names to protected headers in verified chats #5166
Comments
If we encrpy the message, we strip display names from `to` and `from` fields in the unencrypted headers but put this information in the encrypted part. Otherwise we put display names in the unencrypted headers. - [ ] Core should overwrite display name form the protected `from` field but not the whole from field, because that would allow forgery. - For the `to` field we don't really care as people are not doing this at the moment and as soon as you receive a message from the real user, display name will be corrected. close #5166
Current testing results is that Thunderbird stores K-9 aka Thunderbird for Android only extracts Subject and only stores Subject. |
If we encrpy the message, we strip display names from `to` and `from` fields in the unencrypted headers but put this information in the encrypted part. Otherwise we put display names in the unencrypted headers. - [ ] Core should overwrite display name form the protected `from` field but not the whole from field, because that would allow forgery. - For the `to` field we don't really care as people are not doing this at the moment and as soon as you receive a message from the real user, display name will be corrected. close #5166
As link2xt mentioned in the comment above, Thunderbird and K9 don't show display-names when we only put them into the encrypted part. The related PR (#5183) removes all display names from unencrypted emails and moves them into the encrypted part so email client users will no longer see display names. As link2xt pointed out here (#5183 (comment)) we are not sure if that is what we want. We could add a check so that the display names are only moved into the encrypted part for verified chats. What do you think @r10s @hpk42 |
On Tue, Jan 23, 2024 at 00:33 -0800, Sebastian Klähn wrote:
As link2xt mentioned in the comment above, Thunderbird and K9 don't
show display-names when we only put them into the encrypted part. The
related PR (#5183) removes all display names from unencrypted emails
and moves them into the encrypted part so email client users will no
longer see display names. As link2xt pointed out here
(#5183 (comment))
we are not sure if that is what we want. We could add a check so that
the display names are only moved into the encrypted part for verified
chats. What do you think @r10s @hpk42
I saw that Thunderbird just added Autocrypt-gossip support:
https://www.thunderbird.net/en-US/thunderbird/115.7.0/releasenotes/?uri=/thunderbird/releasenotes/
so i guess they would be open to pull displaynames from the protected headers.
For right now, only protecting displaynames for guaranteed encryption sounds fine
because guaranteed encryption is what we are recommending for maximum security/privacy, anyway,
and kind of the default mode for chatmail usage. And the check is cheap.
When and if Thunderbird/K9 also protect Displayname-metadata in the future,
we could remove the check and always perform this metadata-reduction.
Last time i checked, btw, Thunderbird was not very smart about learning
e-mail addresses and display names from To/CC fields but i am not super-actively using it.
|
… chats (#5166) If a display name should be protected (i.e. opportunistically encrypted), only put the corresponding address to the unprotected headers. We protect the From display name only for verified chats, otherwise this would be incompatible with Thunderbird and K-9 who don't use display names from the encrypted part. Still, we always protect To display names as compatibility seems less critical here. When receiving a messge, overwrite the From display name but not the whole From field as that would allow From forgery. For the To field we don't really care. Anyway as soon as we receive a message from the user, the display name will be corrected.
If chat is verified (group chat or verified 1:1 chat) we should put
From:
andTo:
fields with only addresses and no display names into the unencrypted part. Encrypted part should contain the same fields, but with display names.Empty display name passed to
Contact::add_or_lookup
is already treated as "prevent rename" andreceive_imf::from_field_to_contact_id
relies on this, so even if old client does not get to protected header it will not result into renaming everyone into "".We can also extend this, but for the first implementation this is out of scope unless it makes implementation easier:
To:
field in "undisclosed recipients" for verified chats. Need to check that this interacts well with decryption failures and does not result in removing everyone from the group.The text was updated successfully, but these errors were encountered: