Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 15 May 2018 14:23:11 +0200
From: Leo Gaspard <oss-security@....gaspard.ninja>
To: oss-security@...ts.openwall.com
Subject: Re: PGP/MIME and S/MIME mail clients vulnerabilities

On 05/14/2018 04:01 PM, Yves-Alexis Perez wrote:> - PGP/MIME is a bit
safer because the OpenPGP format compresses plaintext
> before encryption (which makes it harder for the attacker) and has some kind
> of authenticated (symmetric) encryption (the MDC), which helps gnupg detects
> modifications to the cyphertext. Most mail clients properly handle gnupg hints
> when something went wrong but the external interface is a bit fragile (gnupg
> will still output the cleartext, for example). One exception is apparently
> Thunderbird with enigmail before 2.0.0, but this is now fixed (I didn't find
> the proper commit yet). Again, not displaying HTML mails and not allowing
> remote content loading can help, but other “backchannels” might be found in
> the future.

Just to add in about Thunderbird with Enigmail after 2.0.0:

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060325.html
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060327.html
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060329.html

So it looks like data encrypted with CAST5 (and possibly 3DES?) may be
at risk even with Enigmail 2.0.0, with what I guess is latest GnuPG
(don't know whether it is with 1.4, 2.2 or both, though), likely due to
a GnuPG bug.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ