Bug #9161

Write a security advisory about Claws leaking cleartext to IMAP server

Added by sajolida 2015-04-06 14:50:54 . Updated 2015-08-25 14:08:26 .

Status:
Resolved
Priority:
Low
Assignee:
sajolida
Category:
Target version:
Start date:
2015-04-06
Due date:
% Done:

100%

Feature Branch:
Type of work:
End-user documentation
Blueprint:

Starter:
Affected tool:
Email Client
Deliverable for:

Description

Once we reach the freeze for 1.4, if Bug #8986 and Bug #9000 are not solved we should issue a security advisory.

Even if Bug #8986 and Bug #9000 are solved we should mention that this problem existed in the past.

Here is a possible synopsis for the advisory. Note that while working on this, I discovered that this bug might not affect as many people as we thought. At least not all our IMAP users.

  • Problem
    • Draft and Queue are saved unencrypted on the server with IMAP
  • Am I affected by this?
    • Only if you use IMAP (which is the default)
    • Draft
      • Automatic saving is disabled by default in Tails, so if you haven’t changed this setting or installed after Tails 0.10.1 (20120130) you’re not affected.
        • [internal] by the way, we knew this already see 04fc69a from Tails 0.10.1 (20120130)
    • Queue = “Send later”
      • Very likely to not use it as it doesn’t make much sense in IMAP, or if you use it you’re aware of it because it’s a deliberate action.
  • Possible workarounds
    • Use POP instead of IMAP to avoid all bad surprises
      • TODO: Need to rework persistence bug documentation (Feature #9159)
      • [internal] Do we want to propose POP by default? (Feature #9303)
    • If you want to keep IMAP with autosaving activated, consider using Claws 3.10.1-2~bpo70+1 from backports
      • It has a new option to disable automatic saving if the message is to be encrypted
      • Add to additional software packages:
        claws-mail/wheezy-backports
        claws-mail-archiver-plugin/wheezy-backports
        claws-mail-i18n/wheezy-backports
        claws-mail-pgpinline/wheezy-backports
        claws-mail-pgpmime/wheezy-backports
      • Uncheck Configuration → Preferences… → Compose → Writing → Even if message is to be encrypted
      • [internal] Do we want to ship Claws backports ourselves? (Feature #9302)
    • If you want to keep IMAP and use Queue, consider using a local mailbox for storing them

Subtasks


Related issues

Related to Tails - Feature #9302: Consider shipping claws-mail 3.10.1-2~bpo70+1 Rejected 2015-04-30
Related to Tails - Feature #9159: Test that the persistence bug of Claws is documented correctly Resolved 2015-04-06

History

#1 Updated by intrigeri 2015-04-06 15:10:58

  • Target version set to Tails_1.4

#2 Updated by sajolida 2015-04-27 02:55:19

  • Priority changed from Normal to Elevated

#3 Updated by sajolida 2015-04-30 07:29:13

If issued before Feature #9302, we could document adding configuring the following additional software:

claws-mail/wheezy-backports
claws-mail-archiver-plugin/wheezy-backports
claws-mail-pgpinline/wheezy-backports
claws-mail-pgpmime/wheezy-backports

It needs to be tested.

#4 Updated by sajolida 2015-04-30 07:30:09

  • related to Feature #9302: Consider shipping claws-mail 3.10.1-2~bpo70+1 added

#5 Updated by sajolida 2015-05-03 04:43:24

  • related to Feature #9158: Have a script to keep track of UUI releases added

#6 Updated by sajolida 2015-05-03 05:57:14

  • Description updated

#7 Updated by sajolida 2015-05-03 06:03:49

  • related to deleted (Feature #9158: Have a script to keep track of UUI releases)

#8 Updated by sajolida 2015-05-03 06:03:55

  • related to Feature #9159: Test that the persistence bug of Claws is documented correctly added

#9 Updated by intrigeri 2015-05-03 12:32:33

  • wrt. “Am I affected by this?”: there’s a manual “save as draft” option, so just saying “Automatic saving is disabled by default” doesn’t lead us far enough IMO. Users may still save stuff in the clear, while they believe it will be encrypted.
  • wrt. “Queue = ”Send later“, Very likely to not use it as it doesn’t make much sense in IMAP, or if you use it you’re aware of it because it’s a deliberate action.”:
    • I don’t understand why it doesn’t make much sense in IMAP: one can compose email offline.
    • I’m not convinced by the “deliberate action” part: if the user has explicitly chosen to encrypt an email, perhaps they wouldn’t be that wrong if they believed that “Send later” would save it encrypted, just as “Send” would send it encrypted?
    • Claws Mail sends the cleartext email in Queue before encrypting and sending IIRC (confirmed by _adamb on Feature #9302#note-10) so no, it’s not a deliberate action to put mail to queue.

=> the synopsis intro (" I discovered that this bug might not affect as many people as we thought. At least not all our IMAP users.") seems a bit too optimistic.

#10 Updated by sajolida 2015-05-04 07:13:00

I tested again and indeed when sending an email through IMAP, Claws does the following:

1. Connect through IMAP to store the email in plaintext in the Queue folder of the server.
2. Connect through SMTP to send the email encrypted.
3. Connect through IMAP to store the encrypted email in the Sent folder of the server.
4. Connect through IMAP to delete the plaintext email from the Queue folder of the server.

What a mess!

#11 Updated by BitingBird 2015-05-05 20:28:40

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 20

#12 Updated by sajolida 2015-05-07 16:28:27

  • Status changed from In Progress to Resolved
  • % Done changed from 20 to 100

Applied in changeset commit:17fa9459c965fbc86d3b8008bd9d309d2b97a76d.

#13 Updated by BitingBird 2015-08-25 14:08:27

  • Priority changed from Elevated to Low