encrypted message subject should use standard "[...]" #8011
Assignees
Labels
type: bug
Something is causing incorrect behavior or errors
Comments
dkg
added
type: bug
dkg
added a commit
to deltachat/chatmail
that referenced
this issue
Jul 13, 2024
These additional subjects were extracted from the thunderbird-android source (which is inherited from k-9). The extraction was done with: ``` git clone https://github.com/thunderbird/thunderbird-android/ cd thunderbird-android/legacy/ui/legacy/src/main/res grep string\ name=\"encrypted_subject values-*/strings.xml | cut -f2 -d'>' | cut -f1 -d'<' | sort -u | sed -e 's/^/ "/' -e 's/$/",/' ``` (i did need to clean up one line's escaping to pass the linter's expectations) See also thunderbird/thunderbird-android#8011
dkg
added a commit
to deltachat/chatmail
that referenced
this issue
Jul 15, 2024
These additional subjects were extracted from the thunderbird-android source (which is inherited from k-9). The extraction was done with: ``` git clone https://github.com/thunderbird/thunderbird-android/ cd thunderbird-android/legacy/ui/legacy/src/main/res grep string\ name=\"encrypted_subject values-*/strings.xml | cut -f2 -d'>' | cut -f1 -d'<' | sort -u | sed -e 's/^/ "/' -e 's/$/",/' ``` (i did need to clean up one line's escaping to pass the linter's expectations) See also thunderbird/thunderbird-android#8011
cketti
removed
the
unconfirmed
hpk42
pushed a commit
to deltachat/chatmail
that referenced
this issue
Jul 17, 2024
These additional subjects were extracted from the thunderbird-android source (which is inherited from k-9). The extraction was done with: ``` git clone https://github.com/thunderbird/thunderbird-android/ cd thunderbird-android/legacy/ui/legacy/src/main/res grep string\ name=\"encrypted_subject values-*/strings.xml | cut -f2 -d'>' | cut -f1 -d'<' | sort -u | sed -e 's/^/ "/' -e 's/$/",/' ``` (i did need to clean up one line's escaping to pass the linter's expectations) See also thunderbird/thunderbird-android#8011
hpk42
pushed a commit
to deltachat/chatmail
that referenced
this issue
Jul 28, 2024
These additional subjects were extracted from the thunderbird-android source (which is inherited from k-9). The extraction was done with: ``` git clone https://github.com/thunderbird/thunderbird-android/ cd thunderbird-android/legacy/ui/legacy/src/main/res grep string\ name=\"encrypted_subject values-*/strings.xml | cut -f2 -d'>' | cut -f1 -d'<' | sort -u | sed -e 's/^/ "/' -e 's/$/",/' ``` (i did need to clean up one line's escaping to pass the linter's expectations) See also thunderbird/thunderbird-android#8011
hpk42
pushed a commit
to deltachat/chatmail
that referenced
this issue
Jul 28, 2024
These additional subjects were extracted from the thunderbird-android source (which is inherited from k-9). The extraction was done with: ``` git clone https://github.com/thunderbird/thunderbird-android/ cd thunderbird-android/legacy/ui/legacy/src/main/res grep string\ name=\"encrypted_subject values-*/strings.xml | cut -f2 -d'>' | cut -f1 -d'<' | sort -u | sed -e 's/^/ "/' -e 's/$/",/' ``` (i did need to clean up one line's escaping to pass the linter's expectations) See also thunderbird/thunderbird-android#8011
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Checklist
App version
git head (123ad8c)
Where did you get the app from?
Other
Android version
fetched from source
Device model
No response
Steps to reproduce
Expected behavior
It would be better to use the non-localized string
[...]as recommended in the default HCPs in draft-ietf-lamps-header-protection.Using a localized string leaks the user's locale to any network operator that can view the message, which reduces size of the anonymity set. Furthermore, using a specific string unique to thunderbird-android (or k-9) leaks information about what e-mail client the user is using. This not only reduces the size of the anonymity set further, it also potentially leaks information that an adversary could use for targeted attacks based on known flaws with specific MUAs.
Finally, a subject line of "Encrypted message" (in whatever language) can be accidentally copied into a reply message, which itself is not encrypted. So the string "Encrypted message" isn't even a reliable signal to the end user who receives such a message.
Actual behavior
the external Subject header field for an encrypted message shows "Encrypted message" or some other localized string.
Logs
No response
The text was updated successfully, but these errors were encountered: