ID attacks
Mailfence does not attempt to link the signature identity to the sender address, and only displays the result of the signature verification. In case of doubt, users can always verify the identity of the signer list of brazil whatsapp phone numbers by clicking on the signature verification message and comparing it to the sender address. And in the case of the “From” field display, Mailfence correctly handles any special characters that might try to be used to manipulate the UI presentation to the user.
UI Attacks
Since Mailfence blocks all active content by default, any attempt to mimic signature verification using, for example, HTML, CSS or inline images will not work. In such cases, only the verification message for the valid (i.e. correctly recognized) signature will be displayed.
Recommendations for users using email clients affected by signature spoofing
We recommend that you take the following mitigation actions, in case you are using your Mailfence account with any of the affected email clients listed , in order to protect yourself against signature spoofing.
Update your OpenPGP-compatible email client and/or plugin . Researchers have reported their findings and suggested improvements to the developers of affected clients in a process they call “coordinated disclosure.” This is intended to ensure that affected clients can fix the issues before disclosing them to the public.
Disable HTML rendering and Remote Content Loading . Prevent your email client from rendering HTML or loading active content. This will prevent any attempts to spoof signature verification messages from working. Please consult your email client's specific documentation on this. E.g. Thunderbird.
