encrypted email indicators need to be outside email body

[diracdeltas]

from @dougdeperry:

Bug Description: It is possible to spoof a decrypted message using an image or by creating a similar-looking frameset in HTML (see attachments). This could potentially confuse a user into believing that the message they are receiving is encrypted and therefore to be trusted more than a plaintext email. Without much further extrapolation, the user could believe that replying to this message would automatically be encrypted.

Reproduction Steps: To reproduce this bug you could encrypt a message to yourself and take a screenshot of it once it is decrypted - then copy/paste it into an email to the victim. Injecting the frameset HTML is slightly more difficult:

In a non-encrypted email, right-click in the message body and “inspect element” In dev tools window expand

and tags of highlighted element Right-click
and select “Edit as HTML” Paste the frameset code directly after
Click outside the edit box to save the results See the frameset appear in the message body, manually tweak font size as necessary Send the email Mitigation: Consider moving encrypted email indicators outside the message body (such as the current location of the lock icon) so that it is more difficult to spoof.

[coruus]

We should always take control of the mail compose experience, actually. Right now there are two serious additional (related) issues:

• If a sender doesn't enter any recipients before starting to compose a message (but intends to encrypt it), plaintext drafts may be saved.
• If a sender attaches files prior to entering secure compose, those files will be transmitted to a recipient. But won't be signed or encrypted.