search

YahooArchive / end-to-end

Use OpenPGP-based encryption in Yahoo mail.
http://yahoo.tumblr.com/post/113708033335/user-focused-security-end-to-end-encryption
Apache License 2.0
221 stars 40 forks source link

IFrame Injection UI Improvements #18

Open diracdeltas opened 9 years ago

diracdeltas commented 9 years ago

from @dougdeperry:

Bug Description:

E2E injects an iframe into the compose or read message body in order to display signed or encrypted contents. E2E determines when to inject this iframe based on the presence of standard PGP message blocks. For example:

-----BEGIN PGP MESSAGE----- Charset: UTF-8 Version: Yahoo Mail E2E v0.3.1341

-----END PGP MESSAGE----- Whenever E2E sees a message block that looks like this it will inject the E2E iframe regardless of whether the message is properly signed or encrypted. If an attacker spoofs the from email address and uses the ‘BEGIN PGP MESSAGE’ in the message body E2E will inject the iframe even if the message contains no legitimately signed or encrypted content. This can give the impression that the message is legitimate which can aide in phishing attacks.

Reproduction Steps: Send an email with the following text:

-----BEGIN PGP MESSAGE----- Charset: UTF-8 Version: Yahoo Mail E2E v0.3.1341 This is a legitimate message from Yahoo. Please goto http://www.downloadmymalware.com -----END PGP MESSAGE----- See appendix A for a screenshot of the received message.

Mitigation:

If an error is detected during decryption/display, remove the injected iframe and just display the plaintext message contents and/or create a smaller iframe (or one that somehow looks different than the correct one) and display an error message.

diracdeltas commented 9 years ago

Case in point: the github notification for this issue was displayed in a frame. :)

I think in the case where the message is not a well-formed PGP signature, we should not show the iframe. However, if the signature is well-formed but invalid (because the signing key expired, for instance, or yahoo mail backend mangled the message body), maybe the current behavior makes sense. That way, users see an error message with "BAD signature from ..." in the frame, which looks pretty scary.

diracdeltas commented 9 years ago

This is what Doug's test case (invalid message surrounded by valid PGP armor) looks like when rendered in ymail with end-to-end:

screen shot 2015-03-30 at 10 09 30 am

Do others think that this doesn't look "different enough" from a valid message? What are some UI suggestions?