Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 15 May 2018 17:40:04 +1000
From: Brian May <brian@...uxpenguins.xyz>
To: Yves-Alexis Perez <corsac@...ian.org>, oss-security@...ts.openwall.com
Subject: Re: PGP/MIME and S/MIME mail clients vulnerabilities

Yves-Alexis Perez <corsac@...ian.org> writes:

> So, as far as I can tell, in that attack scenario (where the attacker has
> read/write access to encrypted mails):
>
> - S/MIME is completely broken at the protocol level since it has no way to
> defend against blind modification. Only mitigation for the clients are to
> prevent HTML mails and/or prevent loading of external resources. There might
> be other avenues to exploit the vulnerability in the future though.
>
> - PGP/MIME is a bit safer because the OpenPGP format compresses plaintext
> before encryption (which makes it harder for the attacker) and has some kind
> of authenticated (symmetric) encryption (the MDC), which helps gnupg detects
> modifications to the cyphertext. Most mail clients properly handle gnupg hints
> when something went wrong but the external interface is a bit fragile (gnupg
> will still output the cleartext, for example). One exception is apparently
> Thunderbird with enigmail before 2.0.0, but this is now fixed (I didn't find
> the proper commit yet). Again, not displaying HTML mails and not allowing
> remote content loading can help, but other “backchannels” might be found in
> the future.

Have a look at some official statements on this:

* https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html
* https://protonmail.com/blog/pgp-vulnerability-efail/

For the case of PGP it sounds like the only problems occur when mail
clients ignore the GPG hints.

For S/MIME, it does sound like the standard is broken and needs fixing.

If I understand this correctly, the "Direct Exfiltration" is an attack
that doesn't require modifying the encrypted data - so presumably the
MDC in PGP won't help. To me this sounds like a email client problem
(allowing mixing encrypted and encrypted data in the one HTML document
seems like a very bad idea), but the https://efail.de/ page says the
standards need to be updated to fix this.
-- 
Brian May <brian@...uxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ