Page MenuHome GnuPG

Lack of recipient certificate when sending means unencrypted email will be sent whether you want it or not
Closed, ResolvedPublic

Description

Release: 0.9.10

Environment

Windows XP SP2, Outlook 2003 (11.8010.6568) SP2

Description

I was testing GPG4Win and GPGol for the first time and wanted to see how well it worked. Having sent a test signed email succesfully I attempted to test an encrypted email. I set the options for GPGol to encrypt by default and typed in a test email. Having clicked Send I was asked to pick which recipient to send to, although I did not have the correct certificate installed for that email recipient. There was no way of not sending the email. The options were pick a certificate (which I didn't have) or send it unencrypted. That is terrible security. What happens if the email that is ready to send contained sensitive information (a good assumption if you want to encrypt it in the first place). There are going to be times when a user thinks they have someones cert but doesn't or gets the email address wrong, or something like that. I don't want it to be sent unencrypted but I don't have a certificate to choose. I would want an option to NOT send the email. That wasn't available.

How To Repeat

GPGol set to encrypt new messages by default.
Create a new email to a recipient you don't have a certificate for.
Click Send.
You are asked to select the recipient key (which you don't have).
Click Cancel.
Options are OK - send unencrypted or Cancel - go back to last dialogue.

Fix

Provide an option to go back to the email without sending it.