Re: Serious information leak in Ximian Evolution
On Sat, 2003-01-18 at 15:07, Søren Boll Overgaard wrote:
> On Sat, 2003-01-18 at 12:36, Csillag Kristóf wrote:
> > Well, it is a little bit offtopic, but it's a serious issue,
> > concerning the privacy of many of us, so I thought you might
> > be interested.
> >
> > Ximian Evolution
> > Debian package version: 1.2.1-2
> >
> > BCC Recipients ARE NOT HIDDEN from the other recipients of the message
> > !!!!!!!
>
> It is not the job of evolution to hide Bcc recipients, that is the job
> of the SMTP-server being used.
> Bcc recipient specification in evolution is just a nice way of
> specifying addresses to be included in rcpt to: smtp commands, which are
> not included in either the cc: or to: headers.
>
> It is the job of the smtp-server to remove any bcc: headers in email
> messages.
Hi,
excuse me if I'm wrong, but I already had a few months ago a discussion
with the maintainers of Balsa, another MUA which had the same problem
with "Bcc:" headers handling.
After reading RFC2822 which discuss the "Internet Message Format", it
seems that thinks are not so clear, and that it's very implementation
dependant !! And it's never discussed in any way that it's the SMTP
server's job to rebuild message's and delete such headers...
Anyway, this made Balsa maintainers to modify their "Bcc"
implementation...
You'll find another discussion on this subject on Exim mailing list, at
http://www.exim.org/pipermail/exim-users/Week-of-Mon-19980817/008813.html
Thierry
Below are the corresponding chapters :
-----------
3.6.3. Destination address fields
The destination fields of a message consist of three possible fields,
each of the same form: The field name, which is either "To", "Cc", or
"Bcc", followed by a comma-separated list of one or more addresses
(either mailbox or group syntax).
to = "To:" address-list CRLF
cc = "Cc:" address-list CRLF
bcc = "Bcc:" (address-list / [CFWS]) CRLF
The destination fields specify the recipients of the message. Each
destination field may have one or more addresses, and each of the
addresses indicate the intended recipients of the message. The only
difference between the three fields is how each is used.
The "To:" field contains the address(es) of the primary recipient(s)
of the message.
The "Cc:" field (where the "Cc" means "Carbon Copy" in the sense of
making a copy on a typewriter using carbon paper) contains the
addresses of others who are to receive the message, though the
content of the message may not be directed at them.
The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
addresses of recipients of the message whose addresses are not to be
revealed to other recipients of the message. There are three ways in
which the "Bcc:" field is used. In the first case, when a message
containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
removed even though all of the recipients (including those specified
in the "Bcc:" field) are sent a copy of the message. In the second
case, recipients specified in the "To:" and "Cc:" lines each are sent
a copy of the message with the "Bcc:" line removed as above, but the
recipients on the "Bcc:" line get a separate copy of the message
containing a "Bcc:" line. (When there are multiple recipient
addresses in the "Bcc:" field, some implementations actually send a
separate copy of the message to each recipient with a "Bcc:"
containing only the address of that particular recipient.) Finally,
since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
sent without any addresses indicating to the recipients that blind
copies were sent to someone. Which method to use with "Bcc:" fields
is implementation dependent, but refer to the "Security
Considerations" section of this document for a discussion of each.
...
5. Security Considerations
...
Many implementations use the "Bcc:" (blind carbon copy) field
described in section 3.6.3 to facilitate sending messages to
recipients without revealing the addresses of one or more of the
addressees to the other recipients. Mishandling this use of "Bcc:"
has implications for confidential information that might be revealed,
which could eventually lead to security problems through knowledge of
even the existence of a particular mail address. For example, if
using the first method described in section 3.6.3, where the "Bcc:"
line is removed from the message, blind recipients have no explicit
indication that they have been sent a blind copy, except insofar as
their address does not appear in the message header. Because of
this, one of the blind addressees could potentially send a reply to
all of the shown recipients and accidentally reveal that the message
went to the blind recipient. When the second method from section
3.6.3 is used, the blind recipient's address appears in the "Bcc:"
field of a separate copy of the message. If the "Bcc:" field sent
contains all of the blind addressees, all of the "Bcc:" recipients
will be seen by each "Bcc:" recipient. Even if a separate message is
sent to each "Bcc:" recipient with only the individual's address,
implementations still need to be careful to process replies to the
message as per section 3.6.3 so as not to accidentally reveal the
blind recipient to other recipients.
...
Reply to: