This is an old revision of the document!
Email Clients
Encrypting your emails with PGP can end up being pointless if your email client leaks information or allows your end device to be attacked.
If someone sends you a physical letter and you would prefer that the contents remain private then you would find a private place to open it. You won't open it in a busy place full of curious people. If you would like to hide the fact that you have received and read the letter then you would need to find a place where you can be sure you will not be observed at all. Once you are aware of the contents then the level of required security might decrease. It might increase.
The problem is fundamental. You don't know how to treat a message before you have seen it.
Email clients do not always provide a safe space where you can make decisions about your emails. Without explicit permission from the user, an email client should never, ever:
- Leak any information. Outgoing network connections should simply not be possible.
- Allow the email to cause any complex operations. No interpretation of things like image, sound or video formats. HTML should be interpreted only to the point of basic formatting.
Sufficient information must be provided to allow the user to make good decisions. An email client should provide all relevant information:
- Was the message encrypted? To which of your identities?
- Was the message signed? Is the signature valid? Do you know who signed it? Do you know them?
- If the message was not signed, have you ever received email from that email address? That email server?
A preview pane should be just that, a preview. If the user wants to see the email in its full glory then they should have to take some sort of an action.
