proton-bridge icon indicating copy to clipboard operation
proton-bridge copied to clipboard
verified publisher icon ProtonMail

Security issue: SMIME signature verification is still broken

Open tk-innoq opened this issue 4 years ago • 8 comments

ProtonMail is still breaking email headers as already described in:

  • https://github.com/ProtonMail/proton-bridge/issues/28
  • https://github.com/ProtonMail/proton-bridge/issues/26

Expected Behavior

ProtonMail should by no means alter any contents/headers of incoming mails from a third party.

Current Behavior

ProtonMail changes the Mime-Type of a signed message:

Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="-- vs. Content-Type: multipart/mixed; boundary=

Message integrity cannot verified any more.

Possible Solution

Do not touch mail headers or content of signed messages.

Steps to Reproduce

Send a SMIME signed mail to a ProtonMail account.

Version Information

ProtonMail 4.0.5 and ProtonMailBridge still do not work.

tk-innoq avatar Sep 06 '21 12:09 tk-innoq

Hi, I ran into an issue with S/MIME signatures and wanted to confirm if it was related to this issue.

When I send an email from Thunderbird via the Bridge, the email body appears as an attached text file in Office 365 mail clients:

Screenshot of an email in Outlook (Office 365) showing an empty email with a text file attached

Screenshot of the text file attachment in previous image.

When I send mail from mail.protonmail.com, the email renders correctly:

Screenshot of an email in Outlook (Office 365) rendering correctly in the body content of the email, not as an attachment.

Is this related or should I open a new bug?

justwheel avatar Oct 27 '21 22:10 justwheel

please open a new bug @jwflory - the first issue reported here is known but what you are describing is not. we'll look into different request sent from webclient and bridge to try and unravel this.

andrzejsza avatar Oct 28 '21 10:10 andrzejsza

@andrzejsza Acknowledged, I opened #230 for my issue.

justwheel avatar Oct 28 '21 12:10 justwheel

@tk-innoq is this still an issue for you with the latest version of Bridge?

LBeernaertProton avatar Apr 14 '23 13:04 LBeernaertProton

To follow this ticket

Neustradamus avatar Aug 11 '23 04:08 Neustradamus

@LBeernaertProton After two years I checked it again with Bridge Version 3.6.1. The issue is still the same as described in the ticket.

tk-innoq avatar Nov 17 '23 11:11 tk-innoq

After some investigation, it seems we currently can't correctly support this in the proton API. We will internally evaluate how to best proceed to support this use case, but we can't promise any ETA at this point.

LBeernaertProton avatar Nov 20 '23 13:11 LBeernaertProton

Hi, are there any news on this topic?

GGORG0 avatar Aug 13 '24 21:08 GGORG0