Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 15 May 2018 17:40:04 +1000
From: Brian May <brian@...uxpenguins.xyz>
To: Yves-Alexis Perez <corsac@...ian.org>, oss-security@...ts.openwall.com
Subject: Re: PGP/MIME and S/MIME mail clients vulnerabilities

Yves-Alexis Perez <corsac@...ian.org> writes:

> So, as far as I can tell, in that attack scenario (where the attacker has
> read/write access to encrypted mails):
>
> - S/MIME is completely broken at the protocol level since it has no way to
> defend against blind modification. Only mitigation for the clients are to
> prevent HTML mails and/or prevent loading of external resources. There might
> be other avenues to exploit the vulnerability in the future though.
>
> - PGP/MIME is a bit safer because the OpenPGP format compresses plaintext
> before encryption (which makes it harder for the attacker) and has some kind
> of authenticated (symmetric) encryption (the MDC), which helps gnupg detects
> modifications to the cyphertext. Most mail clients properly handle gnupg hints
> when something went wrong but the external interface is a bit fragile (gnupg
> will still output the cleartext, for example). One exception is apparently
> Thunderbird with enigmail before 2.0.0, but this is now fixed (I didn't find
> the proper commit yet). Again, not displaying HTML mails and not allowing
> remote content loading can help, but other “backchannels” might be found in
> the future.

Have a look at some official statements on this:

* https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html
* https://protonmail.com/blog/pgp-vulnerability-efail/

For the case of PGP it sounds like the only problems occur when mail
clients ignore the GPG hints.

For S/MIME, it does sound like the standard is broken and needs fixing.

If I understand this correctly, the "Direct Exfiltration" is an attack
that doesn't require modifying the encrypted data - so presumably the
MDC in PGP won't help. To me this sounds like a email client problem
(allowing mixing encrypted and encrypted data in the one HTML document
seems like a very bad idea), but the https://efail.de/ page says the
standards need to be updated to fix this.
-- 
Brian May <brian@...uxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.