Date: Tue, 15 May 2018 17:40:04 +1000 From: Brian May <brian@...uxpenguins.xyz> To: Yves-Alexis Perez <corsac@...ian.org>, oss-security@...ts.openwall.com Subject: Re: PGP/MIME and S/MIME mail clients vulnerabilities Yves-Alexis Perez <corsac@...ian.org> writes: > So, as far as I can tell, in that attack scenario (where the attacker has > read/write access to encrypted mails): > > - S/MIME is completely broken at the protocol level since it has no way to > defend against blind modification. Only mitigation for the clients are to > prevent HTML mails and/or prevent loading of external resources. There might > be other avenues to exploit the vulnerability in the future though. > > - PGP/MIME is a bit safer because the OpenPGP format compresses plaintext > before encryption (which makes it harder for the attacker) and has some kind > of authenticated (symmetric) encryption (the MDC), which helps gnupg detects > modifications to the cyphertext. Most mail clients properly handle gnupg hints > when something went wrong but the external interface is a bit fragile (gnupg > will still output the cleartext, for example). One exception is apparently > Thunderbird with enigmail before 2.0.0, but this is now fixed (I didn't find > the proper commit yet). Again, not displaying HTML mails and not allowing > remote content loading can help, but other “backchannels” might be found in > the future. Have a look at some official statements on this: * https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html * https://protonmail.com/blog/pgp-vulnerability-efail/ For the case of PGP it sounds like the only problems occur when mail clients ignore the GPG hints. For S/MIME, it does sound like the standard is broken and needs fixing. If I understand this correctly, the "Direct Exfiltration" is an attack that doesn't require modifying the encrypted data - so presumably the MDC in PGP won't help. To me this sounds like a email client problem (allowing mixing encrypted and encrypted data in the one HTML document seems like a very bad idea), but the https://efail.de/ page says the standards need to be updated to fix this. -- Brian May <brian@...uxpenguins.xyz> https://linuxpenguins.xyz/brian/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ