tag:gpgtools.tenderapp.com,2011-11-04:/discussions/beta/829-draft-emailGPGTools: Discussion 2018-10-18T19:56:13Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/361433592015-02-26T16:54:38Z2015-02-26T16:54:38ZShow warning when user disables "Encrypt Drafts" (could be a security problem if "Store drafts on server" is enabled<div><p>Hi Isaac,</p>
<p>can you please copy all version info as described <a href=
"http://support.gpgtools.org/kb/faq/where-can-i-find-version-info-of-the-installed-tools">
here</a> into this discussion.</p>
<p>In the latest version of GPG Suite, GPGMail defaults to always
encrypt drafts. So if you have an older relase please download and
install GPG Suite beta 5 from our homepage. Please also check that
setting before installing any update in Mail.app > Preferences
> GPGMail. It's called "encrypt drafts".</p>
<p>That will encrypt all drafts and if those end up on some server,
they should be encrypted. But besides that you can also disable the
setting to store drafts on server as you pointed out already.</p>
<p>Let me know what you find out.<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/361433592015-02-26T22:51:43Z2015-02-26T22:51:44ZShow warning when user disables "Encrypt Drafts" (could be a security problem if "Store drafts on server" is enabled<div><p>Hi Steve,</p>
<p>Thanks for your email. I’m using 2.5b5, build 891b. It
claims to be the most recent (assuming the “check now”
update button works).</p>
<p>I just looked in Mail.app > Preferences > GPGMail, and
“encrypt drafts” was in fact unchecked.</p>
<p>I checked it and restarted. I left the Mail.app > Preferences
> Accounts > Gmail > Mailbox behaviours > "Store draft
messages on the server" option checked. This seems to resolve the
issue. Gmail no longer has cleartext as I write my response.</p>
<p>I'm not sure how that text box became unchecked (I don't
remember changing anything), but I would argue that it should not
be possible for a user to simultaneously have</p>
<p>"Store draft messages on the server" = True and<br>
“encrypt drafts” = False.</p>
<p>I suppose if you wanted to start working on a message on one
machine, and then finish it from another this would be a solution,
but it seems very dangerous and unnecessary to me.</p>
<p>GPG is behaving as it should in this scenario, but a user (i.e.
me) was able to fall into a trap where I transmitted cleartext by
accident. As a stupid user (hello :), this happened because I
didn't realize that as soon as I hit reply to a message in
Mail.app, a draft file is created and transmitted (although I never
actually <em>saved</em> a draft message) to gmail. I think it would
be safer to prevent users from doing what I did, especially since I
broadcasted not only my response in cleartext, but I also managed
to send my friend's as well because it was quoted in the body of my
reply.</p>
<p>As I wrote the email, the little blue lock logo made me thing
everything was secure. It was not.</p>
<p>Although my issue is resolved (thanks for clearing it up), I
think it would be an improvement to prevent stupid users like me
from making this mistake in the future.</p>
<p>Thanks for your work on GPG.</p>
<ul>
<li>Isaac</li>
</ul></div>Isaac Tamblyntag:gpgtools.tenderapp.com,2011-11-04:Comment/361433592015-02-27T16:01:22Z2015-02-27T16:01:22ZShow warning when user disables "Encrypt Drafts" (could be a security problem if "Store drafts on server" is enabled<div><p>Hi Isaac,</p>
<p>in your case, I think we didn't overwrite a custom setting. You
must have deactivated this option long ago. But I'm sure we default
to "on" in the current release.</p>
<p>I agree that it is difficult for users to realize the
implications of disabling this setting. At the moment there are no
precautions to prevent users disabling "Encrypt Drafts", especially
if it was maybe just by accident.</p>
<p>We have a ticket for this problem. It suggests showing an
explanatory warning before this setting is changed. I think that
would be a good solution to this problem. I connected this
discussion with the existing ticket. That means, should this
discussion get closed, it will be re-opened as soon as the ticket
is closed. That way you'll receive a notification. Feel free to
open a new discussions should you run into further problems or need
assistance.</p>
<p>Thanks for bringing this up. We agree this situation is far from
ideal and will try to address it rather sooner than later.</p>
<p>All the best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/361433592015-02-27T16:41:38Z2015-02-27T16:41:41ZShow warning when user disables "Encrypt Drafts" (could be a security problem if "Store drafts on server" is enabled<div><p>Ok great. Thanks.</p>
<ul>
<li>Isaac</li>
</ul></div>Isaac Tamblyn