#266 Enigmail does not cross check timestamps on signature and mail

open
nobody
None
1.6.0
Enhancement
24.4.0
2.0.22
All
---
2014-08-22
2014-04-02
Felipe Lessa
No

Right now you are able to see both the e-mail's timestamp and the signature's timestamp. However, Enigmail does not try to cross check them. A warning should be displayed if they're too far apart, since it indicates a potential problem.

For example, if you sent a message whose meaning was mostly in the subject, such as:

Date: 01/01/2010
Subject: Meet me at John's tommorow

Cya!
--
Dave.

Then an attacker would be able to send to anyone else a message:

Date: 21/12/2013
Subject: Sell all your stock RIGHT NOW!

Cya!
--
Dave.

No warning would be displayed on current Enigmail behaviour.

Discussion

    • Severity: Major --> Enhancement
     
  • I agree that it would be nice to have a function in Enigmail warning if time difference between signature time and date header exceeds a certain threshold (btw: what difference should be acceptable?).

    "Date:" header is a header line, such as "Subject:", which are never signed and/or encrypted in the OpenPGP standard. This is widely known, and it is documented. Therefore setting severity to "Enhancement".