<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body smarttemplateinserted="true">
<div id="smartTemplate4-template">
<style>.snipped {
border: 1px solid rgba(90,90,90,0.2); padding: 3px;
background: linear-gradient(to bottom, #fdeff4 0%,#fdb9bd 51%,#fea2a3 59%,#ff999e 100%);
}
#agGmail {
margin-left: 6px;
}
#agGmail, #agGmail p {
font-family: Cambria, Georgia, serif !important;
font-size:11pt;
text-align: left;
}
#agGmail p {
max-width: 950px;
}
</style>
<div id="agGmail">
<p>Dear Kai Engert,</p>
<p>when you say "conditional rules" are you referring to @media
stuff? I think that should degrade gracefully if some plain
"ground rules" are added, too.</p>
<p>Just curious as one of my main Add-ons (SmartTemplates) deals
with external HTML templates and style sheets a lot.<br>
</p>
<p>regards,<br>
Axel<br>
</p>
<style type="text/css">
.myNameAG {
text-shadow: 1px 1px 2px #DDD;
transition:font-size 0.5s;
}
.myNameAG:hover, .myNameAG a:hover
{ font-size:13pt; text-shadow: 3px 3px 4px rgba(200,250,200,0.7);}
.moz-signature {opacity: 1.0 !important;}
.myNameAG a { cursor: pointer !important; transition:font-size 0.5s;}
.myLogoAG {
transition: all .4s ease-out;
}
.myLogoAG:hover {
transform: scale(3) translate(-30px,-5px);
}
#SignatureAG, :not(blockquote) #SignatureAG {
background: rgb(230,240,163);
background-image: linear-gradient(to bottom, rgba(230,240,163,1) 0%,rgba(210,230,56,1) 50%,rgba(195,216,37,1) 51%,rgba(219,240,67,1) 100%);
color: #444;
box-shadow: 4px 4px 9px -2px rgba(0,0,0,0.65);
border-radius: 0.7em; padding: 0.8em 1.2em;
border: 1px dashed #8080A0;
font-size: 11pt !important;
font-family: 'Lucida Sans Unicode', 'Lucida Grande', sans-serif;
width: 65%;
}
.AddonList a {
color: #666666;
font-size: 10pt !important;
}
</style>
<div id="SignatureAG"> <b class="myNameAG"><a
href="mailto:axel.grude@gmail.com">Axel Grude</a></b> <br>
Music Production and Composition <br>
Thunderbird Add-ons Developer <span class="AddonList">(<a
href="https://addons.thunderbird.net/thunderbird/addon/quickfolders-tabbed-folders/">QuickFolders</a>,
<a
href="https://addons.thunderbird.net/thunderbird/addon/quickfilters/">quickFilters</a>,
<a
href="https://addons.mozilla.org/firefox/addon/quickpasswords/">QuickPasswords</a>,
<a
href="https://addons.thunderbird.net/thunderbird/addon/zombie-keys/">Zombie
Keys</a>, <a
href="https://addons.thunderbird.net/thunderbird/addon/smarttemplate4/">SmartTemplate⁴</a>)</span>
<br>
Visit my <a href="https://www.youtube.com/c/thunderbirddaily">YouTube
Channel</a> for email productivity tips <img
style="margin-top: 1em; float: right; box-shadow: 1px 1px
2px rgba(20, 20, 20, 0.4);" moz-do-not-send="false"
class="myLogoAG" src="cid:part8.44EFF506.129FED12@gmail.com"
alt="Get Thunderbird!" width="94" height="15">
</div>
</div>
</div>
<div id="smartTemplate4-quoteHeader">
<style type="text/css" scoped="">
#newHeaderAG1 b { font-weight:bold; color: #990033; min-width: 4.5em; max-width:none; display:inline-block;}
</style>
<blockquote type="cite" style="margin-bottom: -20px !important;
padding-bottom:20px !important;">
<div id="newHeaderAG1" style="font-size: x-small; padding:1em;
background-color:rgba(220,220,240,0.4); border-radius:3px;"> <b>Subject:</b>Product
decision regarding HTML/CSS email and digital signatures<br>
<b>From:</b>Kai Engert <a class="moz-txt-link-rfc2396E" href="mailto:kaie@kuix.de"><kaie@kuix.de></a><br>
<b>To:</b><a class="moz-txt-link-abbreviated" href="mailto:Tb-Planning@mozilla.org">Tb-Planning@mozilla.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:tb-planning@mozilla.org"><tb-planning@mozilla.org></a> <br>
<b>Sent: </b>Thursday, 3/12/2020 13:37<br>
</div>
</blockquote>
</div>
<blockquote type="cite"
cite="mid:2ec45869-42c5-cc3e-7493-520d2efb4f17@kuix.de">Summary:
<br>
<br>
We have a conflict of objectives related to HTML/CSS email
rendering (make emails look pretty) and digital signatures (ensure
the shown message matches what the author sent).
<br>
<br>
We're currently unable to provide a solution that perfectly
handles both aspects.
<br>
<br>
We need to make a decision which aspect is more important for the
default behavior - because in internal discussions we haven't yet
been able to find a consensus.
<br>
<br>
<br>
Details:
<br>
<br>
CSS offers conditional rules, this can be used to show different
contents based on properties of the user's computer, for example
screen size/resolution. This is often used to use a different
rendering on desktop computers and mobile devices.
<br>
<br>
In 2019 security researchers had reported an attack based on these
mechanisms.
<br>
<a class="moz-txt-link-freetext" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1530106">https://bugzilla.mozilla.org/show_bug.cgi?id=1530106</a>
<br>
<br>
<br>
When replying to an HTML/CSS email in HTML mode, if quoting the
original message and including the original CSS rules, Alice can
be tricked to digitally sign contents that Alice cannot see.
<br>
<br>
An attacker Eve, who knows which devices are used by Alice and
Bob, can carefully prepare messages to trick them, simply by
requesting a response to an email that Eve sends to Alice.
<br>
<br>
After obtaining a response from Alice, Eve forwards the message to
Bob. Then Bob sees contents that Alice didn't see, and falsely
concludes that Alice deliberately signed it.
<br>
<br>
A complete solution to this problem is difficult.
<br>
<br>
In an ideal world that only cared about security but didn't care
about visual appearance, we could simply strip away all visual
styling, and display and edit all messages as plain text. However,
users (and members of the Thunderbird team) expect Thunderbird to
support pleasant display rendering of styled email content.
<br>
<br>
As a middle ground to remedy the attack scenario, we have
implemented code that strips all the conditional CSS rules - and
keep all other HTML/CSS styling.
<br>
<br>
This fix to the problem has been shipped with Thunderbird 78 and
is currently active by default.
<br>
<br>
Note that we have implemented the solution independent of whether
digital signatures are used or not, based on the argument that it
would be confusing that digitally signed messages behave
differently than messages that haven't been signed.
<br>
<br>
Also note, even when showing received messages, we're currently
disabling the conditional rules, too. This creates consistency
between reading and composing a reply. And we don't know if the
message that we received was specially prepared by an attacker, so
it seems reasonable to remove the attacker's ability to trick what
we see.
<br>
<br>
<br>
Since the release, we received bug reports that complain about
unexpected message display, see this bug and its duplicated:
<br>
<a class="moz-txt-link-freetext" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1659362">https://bugzilla.mozilla.org/show_bug.cgi?id=1659362</a>
<br>
<br>
The reports caused Magnus to suggest that we display the security
protections, see the patch he attached.
<br>
<br>
I feel uncomfortable accepting that patch, my preference is to
keep the protection attempt and accept the degraded layout.
<br>
<br>
<br>
Recently the situation got worse, because of the following bug:
<br>
<a class="moz-txt-link-freetext" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1675507">https://bugzilla.mozilla.org/show_bug.cgi?id=1675507</a>
<br>
<br>
The bug that causes the truncated message contents is also
reported here:
<br>
<a class="moz-txt-link-freetext" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1680084">https://bugzilla.mozilla.org/show_bug.cgi?id=1680084</a>
<br>
<br>
With this, the suggestion to turn off the security protection has
been raised again.
<br>
<br>
<br>
We have the following options:
<br>
<br>
<br>
(a) secure but degraded layout by default
<br>
<br>
If we continue to strip conditional CSS, the layout of some emails
will continue to be different than expected (for a desktop).
<br>
<br>
Because of bugs in the sanitization code, we might continue to see
bugs such as 1675507, and the best we can do is try to address
them each time we identify a new bug.
<br>
<br>
<br>
(b) disable protection by default, higher priority for correct
display
<br>
<br>
With this option, we'd accept Magnus' patch to disable stripping
of conditional CSS by default.
<br>
<br>
Users who want to be protected against the content confusion
attacks described by the researchers, would need to be aware of
this attack, and manually change the preference to enable the
protection (strip conditional CSS):
<br>
<br>
<br>
<br>
We should make a decision, a or b, for the stable Thunderbird 78.x
branch.
<br>
<br>
<br>
<br>
For future Thunderbird versions (version 2021), we could consider
to develop feature improvements, that more actively involve the
user in this decision.
<br>
<br>
Ideas:
<br>
<br>
- notify the user whenever a message contains conditional CSS,
<br>
similar to the remote content notification
<br>
<br>
- offer the user the choice to strip or keep
<br>
<br>
- the notification and choice should be presented both when
reading
<br>
and replying/fowarding a message
<br>
<br>
- allow the user to configure the choice in preference
<br>
<br>
<br>
I'd welcome your feedback on this topic.
<br>
<br>
Thanks
<br>
Kai
<br>
_______________________________________________
<br>
tb-planning mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:tb-planning@mozilla.org">tb-planning@mozilla.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/tb-planning">https://mail.mozilla.org/listinfo/tb-planning</a>
<br>
</blockquote>
</body>
</html>