Mailfence is not affected by OpenPGP signature spoofing vulnerabilities

[[email protected]]

On April 30th, 2019, new vulnerabilities were announced in many OpenPGP and S/MIME- compatible email clients . These signature spoofing vulnerabilities take advantage of weaknesses in the way OpenPGP signatures are verified by email clients, and how the verification result is presented to the user. Our analysis showed that Mailfence is not affected by the disclosed OpenPGP signature spoofing vulnerabilities .

Why Mailfence is not impacted by OpenPGP signature spoofing
Spoofing of Signatures - Title
Signature Spoofing - Affected Clients
The attacker model mentioned in the whitepaper is this:

The email's "From" header is spoofed by the attacker using list of brazil whatsapp phone numbers spoofing techniques.
The attacker has obtained at least one valid OpenPGP signature by impersonating the user in a previous email conversation.
The victim on the recipient side already possesses a trusted public key of the impersonated sender.
Here are the attacks demonstrated by security researchers:



CMS attacks
Mailfence does not support the container format used by S/MIME, i.e. Cryptographic Message Syntax (CMS), and is therefore not affected by this type of attack.

Specific issue with GPG API
Mailfence does not use the GPG engine and is therefore not affected by issues specifically related to the GnuPG API.