Date: Wed, 17 Apr 2013 20:44:22 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Daniel Kahn Gillmor <dkg@...thhorseman.net>, Thomas Biege <thomas@...e.de>, patrick@...gmail.net, dkg@...thhorseman.net Subject: Re: debian: gpg --verify suggests entire file was verified, even if file contains auxiliary data -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/17/2013 12:32 PM, Daniel Kahn Gillmor wrote: > On 04/17/2013 02:23 PM, Kurt Seifried wrote: >> I've run into this before, sadly enigmail (Thunderbird gpg >> plugin) displays the same green bar for message signed ok, but >> displays the text as "Part of the message signed" so unless >> you're really paying attention, you'll miss it. >> >> My thinking is this: >> >> 1) It's pretty easy to find signed content for people using GPG >> 2) It's pretty easy to append/embed signed content into a larger >> message >> >> So the attack would be: create malicious content/email, >> embed/append a valid message harvested from somewhere. Send to >> user. The user verifies then reads the message, unless they are >> really paying attention they probably won't notice that the >> content isn't signed properly (e.g. have an email, ton of >> whitespace, then the signed message). Personally I'm inclined to >> assign a CVE, enigmail for example does mostly the right thing >> (makes a distinction between fully signed and partially signed). >> I think GPG should too. Thoughts/comments before I assign this? > > A similar attack (related to PGP/MIME) has been under discussion on > the enigmail list last month. see the thread starting at: > > https://lists.enigmail.net/pipermail/enigmail-users_enigmail.net/2013-March/000721.html > > I think the enigmail issues are distinct from the gpg issues, and > i don't think they should be conflated into the same CVE. > > In particular, i see the enigmail issues as (security-related) > UI/UX problems, but i see the gpg problems as (security-related) > API/programmatic-use problems. > > By comparison with enigmail, thunderbird's native S/MIME > verification routines display no cryptographic indicators at all if > only part of a message is signed. This means that S/MIME-signed > messages sent through common mailing list software which attaches a > text/plain MIME footer (like mailman) will not indicate that they > are verifiable at all. > > it's not a pretty set of tradeoffs. :/ > > --dkg > So I think first off we need to figure out what the behaviour should be. My thought would be that it should be quit explicit, e.g. "this entire message/file/etc. was signed by X" or "a part of this file/message/etc. was signed by X" and so on. The next challenge is how to signal it to the end user. One challenge with enigmail is it provides some of the signalling "in band" as it were (in the email text area) which can be modified by the attacker, and some of it "out of band: (at the top of the window area it puts the color bar and text to clarify. With GPG command line it can maybe say something like "part of this message was signed by X"? I'm inclined to assign a CVE to this type of vulnerability but I have no idea how we fix this _properly_. Anyone have ideas? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRb14FAAoJEBYNRVNeJnmTF/UQAI5niyrCCZ/MXR7kaP6ugzWA ldKWCMlI3D5GUyuQSabAiKDnNq5o6hevPkNs2RMBO4YtVin9cTcC3Obv3YAttSTQ N1H5JgroXO+1Q13v0pGJy1olw5SiTaWcyDMrAQ1EJpW5+E/yx+qNIkfMksZ8+NVH aokzOocX2LMQj7n1FjfB3gO8zIIhTTsRqCKX+cwfJZgJPD3FywySX3DsZZj2dRdo IgTuuYHAE+ZsNuV/rZO/Plv/KfzjBVu0RHxtaOnowaMZTDrw1LEcj8zPOKV/nOf5 m9IV4oMMSz6zVnlIDABBdj8dZFuPN1Kp72j9ox0fcQjy5E1c+ZQ1alFNg6MmoShm 3olCEX4cLmIRSnxB4G92Y80Pj2XmV/PKHrhwGZpggCGdTwEskXej8VcXiKFjH4JN sFpT8aHywKtP3GsWDx6fFkFe9Zy4ZPVlbfruySz9H4rFxywJJDbjoydDvBnhxzCy gffBcYnDPQ1YGnO8WrE8oNMT8jIeCEhOXvd73pgQCy/FvE68X3Q4keSvlwbR1TCE jfTGQqMS18yTshlISHF2rt9eOEkbDPzxHfFuOE/kWoYizqRfVjRW/WsZM+CYwVwH bkM+MGgyh7qa0Jb4eYHvqsl0EJkkp55Kuw3vCx3jcJpi3f6IXItpphgJt2rln4bQ Eop7WmP7qJR1/2y7ExFL =1b8Q -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.