Well, let’s get the bad news out of the way right now. The same goes for the true power users 1 whom his work targets.īut what about when those power users are away from their Macs and depending on iPhones or iPads? No MailMate on iOS, ever, so . . . And that’s exactly how its creator and lone developer - Benny Kjær Nielsen, Ph.D in computer science - wants it. But MailMate is solid, powerful, ultra-compliant with email standards, and loaded with more features than any user could ever possibly exhaust.
So, since the Catalina (macOS 10.15) version has had its share of problems, my macOS email activity is back to essentially all MailMate, all the time.įair warning to the uninitiated: MailMate isn’t “pretty.” Its interface is busy and dated-looking (although, like just about everything else in the app, highly customizable). To some degree, how firmly I’ve stayed with the app has depended on how I felt at any given time about Apple Mail on macOS. Largely since I’m not a heavy email user and purposely don’t use my go-to phone for any business email purposes, I’ve gone back and forth between using and not using MailMate.
Researchers reported these vulnerabilities to affected vendors and developers, as well as suggested appropriate countermeasures, which have now been implemented in the latest versions of most of the affected software.Nearly a year since my first encounter with MailMate, a stupendously powerful macOS email client app for power users, I remain utterly amazed by all its capabilities. These attacks allow attackers to trick email clients into showing an unsigned text while verifying an unrelated signature in another part (which remains invisible).Ĥ) ID attacks (I1, I2, I3) - These attacks rely on the weaknesses in the binding of signed messages to the sender identity by mail clients, allowing attackers to display a valid signature from the identity (ID) of a trusted communication partner located in the mail header.ĥ) UI Attacks (U1) - User Interface (UI) redressing attacks are successful if attackers found a way to mimic, using HTML, CSS, or inline images, some important UI elements of an email client that could allow them to display an indicator of a valid signature. “The goal of our attacker Eve is to create and send an email with arbitrary content to Bob whose email client falsely indicates that the email has been digitally signed by Alice.”ġ) CMS Attacks (C1, C2, C3, C4) - Flaws due to mishandling of Cryptographic Message Syntax (CMS), the container format of S/MIME, lead to contradicting or unusual data structures, such as multiple signers or no signers.Ģ) GPG API Attacks (G1, G2) - Implementation flaws in many email clients fail to properly parse a wide range of different inputs that could allow attackers to inject arbitrary strings into GnuPG status line API and logging messages, tricking clients into displaying successful signature validation for arbitrary public keys.ģ) MIME Attacks (M1, M2, M3, M4) - MIME wrapping attacks abuse how email clients handle partially signed messages. “In our scenario, we assume two trustworthy communication partners, Alice and Bob, who have securely exchanged their public PGP keys or S/MIME certificates,” the team explains in a research paper published today. The research was conducted by a team of researchers from Ruhr University Bochum and Münster University of Applied Sciences, which includes Jens Müller, Marcus Brinkmann, Damian Poddebniak, Hanno Böck, Sebastian Schinzel, Juraj Somorovsky, and Jörg Schwenk.
#MAILMATE M3 ANDROID#
However, researchers tested 25 widely-used email clients for Windows, Linux, macOS, iOS, Android and Web and found that at least 14 of them were vulnerable to multiple types of practical attacks under five below-mentioned categories, making spoofed signatures indistinguishable from a valid one even by an attentive user. The affected email clients include Thunderbird, Microsoft Outlook, Apple Mail with GPGTools, iOS Mail, GpgOL, KMail, Evolution, MailMate, Airmail, K-9 Mail, Roundcube and Mailpile.
#MAILMATE M3 VERIFICATION#
A team of security researchers has discovered several vulnerabilities in various implementations of OpenPGP and S/MIME email signature verification that could allow attackers to spoof signatures on over dozen of popular email clients.
0 kommentar(er)
