Date: Tue, 15 May 2018 14:23:11 +0200 From: Leo Gaspard <oss-security@....gaspard.ninja> To: oss-security@...ts.openwall.com Subject: Re: PGP/MIME and S/MIME mail clients vulnerabilities On 05/14/2018 04:01 PM, Yves-Alexis Perez wrote:> - PGP/MIME is a bit safer because the OpenPGP format compresses plaintext > before encryption (which makes it harder for the attacker) and has some kind > of authenticated (symmetric) encryption (the MDC), which helps gnupg detects > modifications to the cyphertext. Most mail clients properly handle gnupg hints > when something went wrong but the external interface is a bit fragile (gnupg > will still output the cleartext, for example). One exception is apparently > Thunderbird with enigmail before 2.0.0, but this is now fixed (I didn't find > the proper commit yet). Again, not displaying HTML mails and not allowing > remote content loading can help, but other “backchannels” might be found in > the future. Just to add in about Thunderbird with Enigmail after 2.0.0: https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060325.html https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060327.html https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060329.html So it looks like data encrypted with CAST5 (and possibly 3DES?) may be at risk even with Enigmail 2.0.0, with what I guess is latest GnuPG (don't know whether it is with 1.4, 2.2 or both, though), likely due to a GnuPG bug.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ