Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Apr 2013 20:44:22 -0600
From: Kurt Seifried <>
CC: Daniel Kahn Gillmor <>, Thomas Biege <>,,
Subject: Re: debian: gpg --verify suggests entire file was
 verified, even if file contains auxiliary data

Hash: SHA1

On 04/17/2013 12:32 PM, Daniel Kahn Gillmor wrote:
> On 04/17/2013 02:23 PM, Kurt Seifried wrote:
>> I've run into this before, sadly enigmail (Thunderbird gpg
>> plugin) displays the same green bar for message signed ok, but
>> displays the text as "Part of the message signed" so unless
>> you're really paying attention, you'll miss it.
>> My thinking is this:
>> 1) It's pretty easy to find signed content for people using GPG 
>> 2) It's pretty easy to append/embed signed content into a larger
>> message
>> So the attack would be: create malicious content/email,
>> embed/append a valid message harvested from somewhere. Send to
>> user. The user verifies then reads the message, unless they are
>> really paying attention they probably won't notice that the
>> content isn't signed properly (e.g. have an email, ton of
>> whitespace, then the signed message). Personally I'm inclined to
>> assign a CVE, enigmail for example does mostly the right thing
>> (makes a distinction between fully signed and partially signed).
>> I think GPG should too. Thoughts/comments before I assign this?
> A similar attack (related to PGP/MIME) has been under discussion on
> the enigmail list last month.  see the thread starting at:
>  I think the enigmail issues are distinct from the gpg issues, and
> i don't think they should be conflated into the same CVE.
> In particular, i see the enigmail issues as (security-related)
> UI/UX problems, but i see the gpg problems as (security-related) 
> API/programmatic-use problems.
> By comparison with enigmail, thunderbird's native S/MIME
> verification routines display no cryptographic indicators at all if
> only part of a message is signed.  This means that S/MIME-signed
> messages sent through common mailing list software which attaches a
> text/plain MIME footer (like mailman) will not indicate that they
> are verifiable at all.
> it's not a pretty set of tradeoffs. :/
> --dkg

So I think first off we need to figure out what the behaviour should
be. My thought would be that it should be quit explicit, e.g. "this
entire message/file/etc. was signed by X" or "a part of this
file/message/etc. was signed by X" and so on.

The next challenge is how to signal it to the end user. One challenge
with enigmail is it provides some of the signalling "in band" as it
were (in the email text area) which can be modified by the attacker,
and some of it "out of band: (at the top of the window area it puts
the color bar and text to clarify. With GPG command line it can maybe
say something like "part of this message was signed by X"?

I'm inclined to assign a CVE to this type of vulnerability but I have
no idea how we fix this _properly_. Anyone have ideas?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1.4.13 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.