gpgmail logging encrypted messages in plain-text to /var/log (web)

seriously's Avatar


02 Feb, 2012 09:57 AM

WTF guys. Are you completely retarded.

Check your /var/log/system.log as well as a few of the .bz historic log-files and you can conclude the same.

- It logs the public keys present on your keyring.
- It also logs the messages you send without encryption (that is, the ones you'd send in cleartext)
- **Also logs the plaintext version of encrypted messages.**
- It logs all messages sent, on the state you sent them.
- It basically turns /var/log/system.log into a dump of your mail activity. Fuck.

If your laptop is stolen, your data is now more accessible than if you had only used filevault and forgotten about GPGMail. It's a clusterfuck. That's leaving aside that you might send a message and delete it. So it can contain even more data than your mail folder.

Seriously, the only more retarded thing they could do is also send the messages to pastebin.

And you don't load their logging settings from a configuration file, it's hardcoded.

Please let them know that this is unacceptable using their [contact page]( (System MBP OS X Lion)

I am flabbergasted.

  1. Support Staff 1 Posted by Luke Le on 02 Feb, 2012 10:52 AM

    Luke Le's Avatar

    I can tell you again, but it's probably not changing anything.
    This was an issue of one released alpha and we're sorry for that.
    It's already been solved and a version which fixes this will be released tomorrow.
    Again, this is alpha software so use it on your own risk and it's not recommended to use this on production machines just yet.

    Bad mouthing us may help relief your anger but doesn't necessarily help the process.

  2. 2 Posted by Jason on 03 Feb, 2012 07:55 AM

    Jason's Avatar

    I'm with you on that, but seemed to have the required effect though.

    What makes this scenario different is that the main download link on the main page of the site links to the alpha version as the current version. There's no distinction between a stable release and alpha version.

    As someone coding for the privacy/security industry you should be held to a higher standard. Can't put it any other way.

    That said thank you for your contributions.

  3. Support Staff 3 Posted by Luke Le on 03 Feb, 2012 09:28 AM

    Luke Le's Avatar


    I completely agree that this was a fuck up and it was my fault, since I should have checked that not my dev version was released but the one which has logging only enabled by demand.

    What throws me off about the message is the agressive tone and profanity that isn't necessary, due to the fact that this was not on purpose and that it just doesn't help solving the issue at hand.
    Considering the guy posting the message anonymously seems to have some knowledge of programming could have simply provided a patch.

    Everyone who's been on our support plattform before should know that we take every discussion incredibly seriously and answer each of them.
    Most end up with us preparing special versions for the people to better debug their problems.
    So, again, profanity, pseudo yelling, agreessive tone whatever is not necessary.

    And yes, the fact that this is alpha software should be highlighted more explicitly on our website.

  4. Support Staff 4 Posted by Luke Le on 14 Feb, 2012 04:49 AM

    Luke Le's Avatar

    Released version a30 which fixes the problem


  5. Luke Le closed this discussion on 14 Feb, 2012 04:49 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac