Bug #9161: Write a security advisory about Claws leaking cleartext to IMAP server

Bug #9161

Write a security advisory about Claws leaking cleartext to IMAP server

Added by sajolida 2015-04-06 14:50:54 . Updated 2015-08-25 14:08:26 .

Status:

Resolved

Priority:

Low

Assignee:

sajolida

Category:

Target version:

Tails_1.4

Start date:

2015-04-06

Due date:

% Done:

100%

Feature Branch:

Type of work:

End-user documentation

Blueprint:

Starter:

Affected tool:

Email Client

Deliverable for:

Description

Once we reach the freeze for 1.4, if ~~Bug #8986~~ and ~~Bug #9000~~ are not solved we should issue a security advisory.

Even if ~~Bug #8986~~ and ~~Bug #9000~~ are solved we should mention that this problem existed in the past.

Here is a possible synopsis for the advisory. Note that while working on this, I discovered that this bug might not affect as many people as we thought. At least not all our IMAP users.

Problem
- Draft and Queue are saved unencrypted on the server with IMAP
Am I affected by this?
- Only if you use IMAP (which is the default)
- Draft
  - Automatic saving is disabled by default in Tails, so if you haven’t changed this setting or installed after Tails 0.10.1 (20120130) you’re not affected.
    - [internal] by the way, we knew this already see 04fc69a from Tails 0.10.1 (20120130)
- Queue = “Send later”
  - Very likely to not use it as it doesn’t make much sense in IMAP, or if you use it you’re aware of it because it’s a deliberate action.
Possible workarounds
- Use POP instead of IMAP to avoid all bad surprises
  - TODO: Need to rework persistence bug documentation (~~Feature #9159~~)
  - [internal] Do we want to propose POP by default? (~~Feature #9303~~)
- If you want to keep IMAP with autosaving activated, consider using Claws 3.10.1-2~bpo70+1 from backports
  - It has a new option to disable automatic saving if the message is to be encrypted
  - Add to additional software packages:
    claws-mail/wheezy-backports
    claws-mail-archiver-plugin/wheezy-backports
    claws-mail-i18n/wheezy-backports
    claws-mail-pgpinline/wheezy-backports
    claws-mail-pgpmime/wheezy-backports
  - Uncheck Configuration → Preferences… → Compose → Writing → Even if message is to be encrypted
  - [internal] Do we want to ship Claws backports ourselves? (~~Feature #9302~~)
- If you want to keep IMAP and use Queue, consider using a local mailbox for storing them
  - https://labs.riseup.net/code/issues/8999#note-8
  - You can use the same technique to save your drafts as well

Subtasks

Related issues

Related to Tails - ~~Feature #9302~~: Consider shipping claws-mail 3.10.1-2~bpo70+1	Rejected	2015-04-30
Related to Tails - ~~Feature #9159~~: Test that the persistence bug of Claws is documented correctly	Resolved	2015-04-06

History

#1 Updated by intrigeri 2015-04-06 15:10:58

Target version set to Tails_1.4

#2 Updated by sajolida 2015-04-27 02:55:19

Priority changed from Normal to Elevated

#3 Updated by sajolida 2015-04-30 07:29:13

If issued before ~~Feature #9302~~, we could document adding configuring the following additional software:

claws-mail/wheezy-backports
claws-mail-archiver-plugin/wheezy-backports
claws-mail-pgpinline/wheezy-backports
claws-mail-pgpmime/wheezy-backports

It needs to be tested.

#4 Updated by sajolida 2015-04-30 07:30:09

related to ~~Feature #9302~~: Consider shipping claws-mail 3.10.1-2~bpo70+1 added

#5 Updated by sajolida 2015-05-03 04:43:24

related to ~~Feature #9158~~: Have a script to keep track of UUI releases added

#6 Updated by sajolida 2015-05-03 05:57:14

Description updated

#7 Updated by sajolida 2015-05-03 06:03:49

related to deleted (~~~~Feature #9158~~: Have a script to keep track of UUI releases~~)

#8 Updated by sajolida 2015-05-03 06:03:55

related to ~~Feature #9159~~: Test that the persistence bug of Claws is documented correctly added

#9 Updated by intrigeri 2015-05-03 12:32:33

wrt. “Am I affected by this?”: there’s a manual “save as draft” option, so just saying “Automatic saving is disabled by default” doesn’t lead us far enough IMO. Users may still save stuff in the clear, while they believe it will be encrypted.
wrt. “Queue = ”Send later“, Very likely to not use it as it doesn’t make much sense in IMAP, or if you use it you’re aware of it because it’s a deliberate action.”:
- I don’t understand why it doesn’t make much sense in IMAP: one can compose email offline.
- I’m not convinced by the “deliberate action” part: if the user has explicitly chosen to encrypt an email, perhaps they wouldn’t be that wrong if they believed that “Send later” would save it encrypted, just as “Send” would send it encrypted?
- Claws Mail sends the cleartext email in Queue before encrypting and sending IIRC (confirmed by _adamb on ~~Feature #9302#note-10~~) so no, it’s not a deliberate action to put mail to queue.

=> the synopsis intro (" I discovered that this bug might not affect as many people as we thought. At least not all our IMAP users.") seems a bit too optimistic.

#10 Updated by sajolida 2015-05-04 07:13:00

I tested again and indeed when sending an email through IMAP, Claws does the following:

1. Connect through IMAP to store the email in plaintext in the Queue folder of the server.
2. Connect through SMTP to send the email encrypted.
3. Connect through IMAP to store the encrypted email in the Sent folder of the server.
4. Connect through IMAP to delete the plaintext email from the Queue folder of the server.

What a mess!

#11 Updated by BitingBird 2015-05-05 20:28:40

Status changed from Confirmed to In Progress
% Done changed from 0 to 20

#12 Updated by sajolida 2015-05-07 16:28:27

Status changed from In Progress to Resolved
% Done changed from 20 to 100

Applied in changeset commit:17fa9459c965fbc86d3b8008bd9d309d2b97a76d.

#13 Updated by BitingBird 2015-08-25 14:08:27

Priority changed from Elevated to Low