Last Updated: 1-20-97 Version: 0.58.1 Content-MD5 Header Support (RFC 1864) ========================================== Well, I've gotten a number of messages from peole which has the Content-MD5 header, and I'd implemented it in NCSA HTTPd, so I figured I would add it to mutt, so I hunted down the RFC (1864) and added the code necessary to add the Content-MD5 header, and to test an existing md5 header on received messages. So, if a message you receive has an MD5 header in it, then there will be a message at the top of the body (or attachment) which reads either: [ MD5 Checksum Matches: =XXXXXXXXXX] or [ MD5 Checksum Match Fails, Contents May Have Shifted] for the passing and failing cases, respectively. Realize that the Content-MD5 header is _not_ a particularly effective means of testing for message interception. If someone modifies your mail message, they could fairly easily modify the Content-MD5 header as well. On the other hand, this may tell you if some mail agent along the way does something with it. Usage --------- When you add this patch to mutt, it will automatically check any Content-MD5 header when you display it. There is a boolean variable for your .muttrc to set whether or not it will add a Content-MD5 header on messages you send out. The default is false. Also, sending a content-md5 header is controlled by a boolean variable, which is false by default. Add set content_md5 to your .muttrc to enable it. In the manual format: content_md5 Type: boolean Default: unset Controls adding of Content-MD5 header when sending messages. Parts and application --------------------- I'm including the patch, and 4 files (2 .c 2 .h) which implement md5 (rfc1321) and content-md5 (rfc1864). Also, since I've added files, you need to rerun configure to regenerate the Makefile, and then you should do a make dep and then make. Possibly Enhancements ---------------------- The code to check for MD5 is kinda nasty because of the manner in which mutt checks for which display-hook to use, it could probably be written to be nicer, but I'm not quite sure how. I'm also not quite sure why mutt does this the way it does, so . . . Caching of the MD5 verification, so it doesn't check every time. I could probably add to the main menu and attachment menu a function 'verify-md5' which could just display a message if it matches or doesn't. Maybe I should have two vars, one is "send_content_md5" the other is "check_content_md5" Or maybe we would prefer something like the pgp setup, where you can (from the send menu) tell mutt to md5 the message. Misc ---------- Performance? Well, on my machines, I didn't notice any performance penalty, but if you send a 2 meg attachment, you will probably notice something, especially on older machines. (Most of the time in sending is waiting for sendmail to finish, which dwarfed the md5 creation time). Why Isn't this in Mutt? ------------------------------- The response from Michael: Sven Guckes writes: > Quoting Brandon Long (blong@uiuc.edu): > > Sending a content-md5 header is controlled by a boolean variable, which > > is false by default. Add set content_md5 to your .muttrc to enable it. > > If we get the check working, we might prefer to have two vars, > > on is "send_content_md5" the other is "check_content_md5". > > Yes, a variable for each is good - but make the default to have it turned off. > It's not that I would not use it - I just think that most people won't. > Besides, the check may take a while on long mails, especially if parts have > to be decoded before the check. Other than that - I hope it'll work! > > I wonder how Michael thinks about this.. Mutt used to have the machinery to extract the Content-MD5 header, but I took it out because I never implemented the actual verification code. My own opinion is that the Content-MD5 field is rather useless, and in fact could provide a false sense of security. Most likely the only thing it will tell you is that some mail gateway along the way is majorly broken. Anyone who is modifying your mail messages can simply delete that header field and you'd never know. Besides, don't most systems have the "md5sum" command? me Version -------- 0.58.1 - Updated to .58.1