AmShaegar13
commented
6 years ago Cool idea!
Open sinteur opened 6 years ago
AmShaegar13
commented
6 years ago Cool idea!
TwizzyDizzy
commented
6 years ago In itself a nice idea, yet you have a trust problem: what if an attacker uploads his public key to a public keyserver under that mail address (maybe the victim hasn't even had a key on a keyserver) ... your would automatically trust the attacker and encrypt the message with his public key.
Am I missing something?
Cheers Thomas
sinteur
commented
6 years ago That would be a denial-of-service attack since the recipient of the email would suddenly stop being able to read it. And that might actually be the first indication somebody gets that a key was uploaded in his name. Nevertheless, it is simply worked around by changing "check the key server" to "use the key the user uploaded to rocket chat and is stored with his or her profile". Actually, make that the default and give the server admin a "fallback to key server check" that is disabled by default. That way people can make the choice.
TwizzyDizzy
commented
6 years ago Yeah, true. Upload of the key would be a nice workaround, too :)
:+1:
Cheers Thomas
For @ mentions, email is sent unencrypted. This might leak confidential info. It would be nice if outgoing email was encrypted with GPG if the target email address has a public key available on one of the key servers ("gpg --search-key someone@example.com")