Write a security advisory about Claws leaking cleartext to IMAP server
Here is a possible synopsis for the advisory. Note that while working on this, I discovered that this bug might not affect as many people as we thought. At least not all our IMAP users.
- Draft and Queue are saved unencrypted on the server with IMAP
- Am I affected by this?
- Only if you use IMAP (which is the default)
- Automatic saving is disabled by default in Tails, so if you
haven’t changed this setting or installed after Tails 0.10.1
(20120130) you’re not affected.
- [internal] by the way, we knew this already see 04fc69a0 from Tails 0.10.1 (20120130)
- Automatic saving is disabled by default in Tails, so if you haven’t changed this setting or installed after Tails 0.10.1 (20120130) you’re not affected.
- Queue = “Send later”
- Very likely to not use it as it doesn’t make much sense in IMAP, or if you use it you’re aware of it because it’s a deliberate action.
- Possible workarounds
- Use POP instead of IMAP to avoid all bad surprises
- If you want to keep IMAP with autosaving activated, consider
using Claws 3.10.1-2~bpo70+1 from backports
- It has a new option to disable automatic saving if the message is to be encrypted
- Add to additional software packages:
- Uncheck Configuration → Preferences… → Compose → Writing → Even if message is to be encrypted
- [internal] Do we want to ship Claws backports ourselves? (#9302 (closed))
- If you want to keep IMAP and use Queue, consider using a local
mailbox for storing them
- You can use the same technique to save your drafts as well
Parent Task: #8999 (closed)
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information