Page MenuHome GnuPG

GpgOL: From field might not match UID used for verification
Closed, ResolvedPublic


Outlook shows in the "Sender field" the name of the sender and then the email.

This is problematic because GpgOL only uses the email for UserID matching (which is a good thing as the name might not always be the same.).

The problem is that if a name looks like a mail address and the email verifies to "green" an attacker can fake the signature status like:

Where a header
From: x <someother@mail>

is used.
Outlook shows no indication that the Sender field is actually longer.

To mitigate this we need to show which UserID GpgOL used for verification.
This is quite a large change as we now no longer use the static "Trusted Sender" category but dynamic temporary categories that include the userid.
As we are dynamic anyway we can also include the trust level directly in the category.

It now looks like:

With level 2 trust as:

level 3:

level 4:



Revisions and Commits