Show warning when user disables "Encrypt Drafts" (could be a security problem if "Store drafts on server" is enabled
I am using OS X Mail and gmail. In my account settings, I have the "Store draft messages on the server" option checked.
A friend of mine and I were speaking via an encrypted email exchange. In the process of writing my reply from OS X Mail, I happened to login to gmail using the web client to check something else. I was very disappointed to see, sitting in my drafts folder, my draft email in cleartext (including his previous email!!!).
Although this may be expected behaviour, it seems very dangerous. I never hit save on my draft, and both his original message and my response are sitting in the clear on gmail servers. This happened as soon as I hit reply (i.e. creating a draft). If you are using gmail and have that box selected, your messages are not secure.
I think this is a major security hole (again, it may be expected behaviour, but as a user it's very easy to make this mistake apparently).
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Steve on 26 Feb, 2015 04:54 PM
Hi Isaac,
can you please copy all version info as described here into this discussion.
In the latest version of GPG Suite, GPGMail defaults to always encrypt drafts. So if you have an older relase please download and install GPG Suite beta 5 from our homepage. Please also check that setting before installing any update in Mail.app > Preferences > GPGMail. It's called "encrypt drafts".
That will encrypt all drafts and if those end up on some server, they should be encrypted. But besides that you can also disable the setting to store drafts on server as you pointed out already.
Let me know what you find out.
steve
2 Posted by Isaac Tamblyn on 26 Feb, 2015 10:51 PM
Hi Steve,
Thanks for your email. I’m using 2.5b5, build 891b. It claims to be the most recent (assuming the “check now” update button works).
I just looked in Mail.app > Preferences > GPGMail, and “encrypt drafts” was in fact unchecked.
I checked it and restarted. I left the Mail.app > Preferences > Accounts > Gmail > Mailbox behaviours > "Store draft messages on the server" option checked. This seems to resolve the issue. Gmail no longer has cleartext as I write my response.
I'm not sure how that text box became unchecked (I don't remember changing anything), but I would argue that it should not be possible for a user to simultaneously have
"Store draft messages on the server" = True
and
“encrypt drafts” = False.
I suppose if you wanted to start working on a message on one machine, and then finish it from another this would be a solution, but it seems very dangerous and unnecessary to me.
GPG is behaving as it should in this scenario, but a user (i.e. me) was able to fall into a trap where I transmitted cleartext by accident. As a stupid user (hello :), this happened because I didn't realize that as soon as I hit reply to a message in Mail.app, a draft file is created and transmitted (although I never actually _saved_ a draft message) to gmail. I think it would be safer to prevent users from doing what I did, especially since I broadcasted not only my response in cleartext, but I also managed to send my friend's as well because it was quoted in the body of my reply.
As I wrote the email, the little blue lock logo made me thing everything was secure. It was not.
Although my issue is resolved (thanks for clearing it up), I think it would be an improvement to prevent stupid users like me from making this mistake in the future.
Thanks for your work on GPG.
- Isaac
Support Staff 3 Posted by Steve on 27 Feb, 2015 04:01 PM
Hi Isaac,
in your case, I think we didn't overwrite a custom setting. You must have deactivated this option long ago. But I'm sure we default to "on" in the current release.
I agree that it is difficult for users to realize the implications of disabling this setting. At the moment there are no precautions to prevent users disabling "Encrypt Drafts", especially if it was maybe just by accident.
We have a ticket for this problem. It suggests showing an explanatory warning before this setting is changed. I think that would be a good solution to this problem. I connected this discussion with the existing ticket. That means, should this discussion get closed, it will be re-opened as soon as the ticket is closed. That way you'll receive a notification. Feel free to open a new discussions should you run into further problems or need assistance.
Thanks for bringing this up. We agree this situation is far from ideal and will try to address it rather sooner than later.
All the best,
steve
4 Posted by Isaac Tamblyn on 27 Feb, 2015 04:41 PM
Ok great. Thanks.
Steve closed this discussion on 27 Feb, 2015 06:24 PM.