Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move display names to protected headers in verified chats #5166

Open
link2xt opened this issue Jan 8, 2024 · 3 comments · May be fixed by #5183
Open

Move display names to protected headers in verified chats #5166

link2xt opened this issue Jan 8, 2024 · 3 comments · May be fixed by #5183
Assignees
@Septias

Comments

@link2xt
Copy link
Collaborator

link2xt commented Jan 8, 2024
edited by Septias

If chat is verified (group chat or verified 1:1 chat) we should put From: and To: fields with only addresses and no display names into the unencrypted part. Encrypted part should contain the same fields, but with display names.

Empty display name passed to Contact::add_or_lookup is already treated as "prevent rename" and receive_imf::from_field_to_contact_id relies on this, so even if old client does not get to protected header it will not result into renaming everyone into "".

We can also extend this, but for the first implementation this is out of scope unless it makes implementation easier:

  1. Move display names to protected headers for all Autocrypt-encrypted messages. This would be even better but need to check in advance that at least Thunderbird handles it.
  2. Completely remove the To: field in "undisclosed recipients" for verified chats. Need to check that this interacts well with decryption failures and does not result in removing everyone from the group.
@Septias Septias self-assigned this Jan 11, 2024
Septias pushed a commit that referenced this issue Jan 15, 2024
feat: put display names in ecrypted headers (#5166)
bc92380 
If we encrpy the message, we strip display names from `to` and `from` fields in the unencrypted headers but put this information in the encrypted part. Otherwise we put display names in the unencrypted headers.

- [ ] Core should overwrite display name form the protected `from` field but not the whole from field, because that would allow forgery.
- For the `to` field we don't really care as people are not doing this at the moment and as soon as you receive a message from the real user, display name will be corrected.

close #5166
@Septias Septias linked a pull request Jan 15, 2024 that will close this issue
Open
@link2xt
Copy link
Collaborator Author

link2xt commented Jan 16, 2024

Current testing results is that Thunderbird stores From and To in protected headers but does not extract them, at least th display name from From.

K-9 aka Thunderbird for Android only extracts Subject and only stores Subject.

Septias pushed a commit that referenced this issue Jan 18, 2024
@Septias
feat: put display names in ecrypted headers (#5166)
e8e57b6 
If we encrpy the message, we strip display names from `to` and `from` fields in the unencrypted headers but put this information in the encrypted part. Otherwise we put display names in the unencrypted headers.

- [ ] Core should overwrite display name form the protected `from` field but not the whole from field, because that would allow forgery.
- For the `to` field we don't really care as people are not doing this at the moment and as soon as you receive a message from the real user, display name will be corrected.

close #5166
@Septias
Copy link
Contributor

Septias commented Jan 23, 2024

As link2xt mentioned in the comment above, Thunderbird and K9 don't show display-names when we only put them into the encrypted part. The related PR (#5183) removes all display names from unencrypted emails and moves them into the encrypted part so email client users will no longer see display names. As link2xt pointed out here (#5183 (comment)) we are not sure if that is what we want. We could add a check so that the display names are only moved into the encrypted part for verified chats. What do you think @r10s @hpk42

@hpk42
Copy link
Contributor

hpk42 commented Jan 24, 2024 via email

iequidoo pushed a commit that referenced this issue Jun 4, 2024
@iequidoo
feat: Protect From name for verified chats and To names for encrypted…
7c05bb2 
… chats (#5166)

If a display name should be protected (i.e. opportunistically encrypted), only put the corresponding
address to the unprotected headers. We protect the From display name only for verified chats,
otherwise this would be incompatible with Thunderbird and K-9 who don't use display names from the
encrypted part. Still, we always protect To display names as compatibility seems less critical here.

When receiving a messge, overwrite the From display name but not the whole From field as that would
allow From forgery. For the To field we don't really care. Anyway as soon as we receive a message
from the user, the display name will be corrected.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Septias Septias

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@hpk42 @link2xt @Septias