Write a security advisory about Claws leaking cleartext to IMAP server
Once we reach the freeze for 1.4, if #8986 (closed) and #9000 (closed) are not solved we should issue a security advisory.
Even if #8986 (closed) and #9000 (closed) are solved we should mention that this problem existed in the past.
Here is a possible synopsis for the advisory. Note that while working on this, I discovered that this bug might not affect as many people as we thought. At least not all our IMAP users.
- Problem
- Draft and Queue are saved unencrypted on the server with IMAP
- Am I affected by this?
- Only if you use IMAP (which is the default)
- Draft
- Automatic saving is disabled by default in Tails, so if you
haven’t changed this setting or installed after Tails 0.10.1
(20120130) you’re not affected.
- [internal] by the way, we knew this already see 04fc69a from Tails 0.10.1 (20120130)
- Automatic saving is disabled by default in Tails, so if you
haven’t changed this setting or installed after Tails 0.10.1
(20120130) you’re not affected.
- Queue = “Send later”
- Very likely to not use it as it doesn’t make much sense in IMAP, or if you use it you’re aware of it because it’s a deliberate action.
- Possible workarounds
- Use POP instead of IMAP to avoid all bad surprises
- TODO: Need to rework persistence bug documentation (#9159 (closed))
- [internal] Do we want to propose POP by default? (#9303 (closed))
- If you want to keep IMAP with autosaving activated, consider
using Claws 3.10.1-2~bpo70+1 from backports
- It has a new option to disable automatic saving if the message is to be encrypted
- Add to additional software packages:
claws-mail/wheezy-backports
claws-mail-archiver-plugin/wheezy-backports
claws-mail-i18n/wheezy-backports
claws-mail-pgpinline/wheezy-backports
claws-mail-pgpmime/wheezy-backports - Uncheck Configuration → Preferences… → Compose → Writing → Even if message is to be encrypted
- [internal] Do we want to ship Claws backports ourselves? (#9302 (closed))
- If you want to keep IMAP and use Queue, consider using a local
mailbox for storing them
- https://labs.riseup.net/code/issues/8999#note-8
- You can use the same technique to save your drafts as well
- Use POP instead of IMAP to avoid all bad surprises
Parent Task: #8999 (closed)
Related issues
- Related to #9302 (closed)
- Related to #9159 (closed)
Original created by @sajolida on 9161 (Redmine)