Language Selection

English French German Italian Portuguese Spanish

Critical PGP Security Issue

Filed under
Security
  • Attention PGP Users: New Vulnerabilities Require You To Take Action Now

    A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

    The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

    Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

  • Disabling PGP in Thunderbird with Enigmail

Response from Werner Koch

Subject: Efail or OpenPGP is safer than S/MIME
Date: Mon, 14 May 2018 09:45:51 +0200
From: Werner Koch
To: gnupg-users@gnupg.org

Hi!

Some may have noticed that the EFF has warnings about the use of PGP out
which I consider pretty overblown. The GnuPG team was not contacted by
the researchers but I got access to version of the paper related to
KMail. It seems to be the complete paper with just the names of the
other MUAs redacted.

Given that the EFF suggests to deinstall GpgOL, we know tha it is not
vulnerable; see see https://dev.gnupg.org/T3714.).

Here is a response I wrote on the weekend to a reporter who inquired on
this problem.

=============
The topic of that paper is that HTML is used as a back channel to create
an oracle for modified encrypted mails. It is long known that HTML
mails and in particular external links like
are evil if the MUA actually honors them (which many meanwhile seem to
do again; see all these newsletters). Due to broken MIME parsers a
bunch of MUAs seem to concatenate decrypted HTML mime parts which makes
it easy to plant such HTML snippets.

There are two ways to mitigate this attack

- Don't use HTML mails. Or if you really need to read them use a
proper MIME parser and disallow any access to external links.

- Use authenticated encryption.

The latter is actually easy for OpenPGP because we started to use
authenticated encryption (AE) since 2000 or 2001. Our AE is called MDC
(Modification detection code) and was back then introduced for a very
similar attack. Unfortunately some OpenPGP implementations were late to
introduce MDC and thus GPG could not fail hard on receiving a mail
without an MDC. However, an error is returned during decrypting and no
MDC is used:

gpg: encrypted with 256-bit ECDH key, ID 7F3B7ED4319BCCA8, created 2017-01-01
"Werner Koch "
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_INFO 0 7
[GNUPG:] PLAINTEXT 62 1526109594 [GNUPG:] PLAINTEXT_LENGTH 69
There is more to life than increasing its speed.
-- Mahatma Gandhi
gpg: WARNING: message was not integrity protected
[GNUPG:] DECRYPTION_FAILED
[GNUPG:] END_DECRYPTION

When giving a filename on the command line an output file is even not
created. This can't be done in pipe mode because gpg allows to process
huge amounts of data. MUAs are advised to consider the DECRYPTION_FAILED
status code and not to show the data or at least use a proper way to
display the possible corrupted mail without creating an oracle and to
inform the user that the mail is fishy.

For S/MIME authenticated encryption is not used or implemented in
practice and thus there is no short term way to fix this in S/MIME
except for not using HTML mails.

The upshot of this is that OpenPGP messages are way better protected
against such kind of attacks than S/MIME messages. Unless, well, the
MUAs are correctly implemented and check error codes!

Shalom-Salam,

Werner

p.s.
Some cryptographers turn up their nose at the OpenPGP MDC which is an
ad-hoc AE mode from a time before AE received much research. However,
it does it job and protects reliable against this and other attacks.
The next OpenPGP revision will bring a real AE mode (EAX or OCB
depending on key preferences) which has other benefits (early detection
of corrupted messages, speed) but it will takes years before it will be
widely deployed and can can actually be used to create messages.

--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Alarmist articles

Subject: Re: [Enigmail] FYI disable enigmail now
Date: Mon, 14 May 2018 03:14:12 -0400
From: Robert J. Hansen
Reply-To: Enigmail user discussion list
To: enigmail-users@enigmail.net

We saw a preview of that paper. It's under embargo so it would be
inappropriate for us to comment on it until it's released. It was also
inappropriate for the EFF to comment on it. You can expect us to have
an official statement on it once the paper is published.

I will say this is a tempest in a teapot. Patrick, Werner, and I have
all seen it. We are not in the least bit worried. We wish the EFF had
reached out to us before running with an alarmist article.

tl;dr: as always, please use the latest Enigmail version, and do so with
confidence.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Security: Updates, Best VPNs for GNU/Linux, and Google+ Chaos Again

  • Security updates for Monday
  • Best VPNs for Linux
  • After a Second Data Leak, Google+ Will Shut Down in April Instead of August
    Back in October, a security hole in Google+’s APIs lead Google to announce it was shutting down the service. Now, a second data leak has surfaced, causing the company to move the shutdown up by four months. This new data leak is quite similar to the first one: profile information such as name, email address, age, and occupation was exposed to developers, even for private profiles. It’s estimated that upwards of 52 million users were affected by this leak. The good news is that while the first hole was open for three years, this one was only an issue for six days, from November 7th to the 13th, 2018.

Linux and Linux Foundation Leftovers

  • Initial i.MX8 SoC Support & Development Board Possibly Ready For Linux 4.21
    While the i.MX8 series was announced almost two years ago and the open-source developers working on the enablement for these new NXP SoCs hoped for initial support in Linux 4.17, the Linux 4.21 kernel that will be released in the early months of 2019 is slated to possibly have the first i.MX8 support in the form of the i.MX8MQ and also supporting its development/evaluation board.
  • AeonWave: An Open-Source Audio Engine Akin To Microsoft's XAudio2 / Apple CoreAudio
    An open-source audio initiative that's been in development for years but flying under our radar until its lead developer chimed in is AeonWave, which supports Windows and Linux systems while being inspired by Microsoft XAudio and Apple's CoreAudio.
  • Take Linux Foundation Certification Exams from Anywhere
    2018 has seen a new wave of popularity for the open source community and it has sparked more interest in potential engineers, system administrators, and Linux experts. 2019 is around the corner and now is a good time to look up Linux certification examinations that will enable you to progress in your career. The good news we have for you is that the Linux Foundation has made certification examinations available online so that IT enthusiasts can get certificates in a wide range of open source domains.

Games Leftovers

  • The Linux version of Civilization VI has been updated with cross-platform multiplayer support
    Just in time for the holidays, Linux gamers finally have version parity with other platforms. Expect to be able to spend just one more turn playing with friends on other operating systems.
  • John Romero has announced a free unofficial spiritual successor to The Ultimate DOOM's 4th episode
    John Romero, one of the co-founders of id Software has revealed he's been working on SIGIL, a free megawad for the original 1993 DOOM. [...] These boxes, will contain music from Buckethead, along with a custom song written expressly for SIGIL. A tempting purchase for any big DOOM fan, I especially love the sound of a 16GB 3-1/2-inch floppy disk-themed USB. You have until December 24, 2018 to order one and I imagine stock will go quite quickly.
  • Unvanquished Open-Source Game Sees Its First Alpha Release In Nearly Three Years
    Unvanquished had been easily one of the most promising open-source games several years back with decent in-game visuals/art, a continually improving "Daemon" engine that was a distant mod of ioquake3 while leveraging ETXReaL components and more, and all-around a well-organized, advancing open-source game project. Their monthly alpha releases stopped almost three years ago while today that's changed just ahead of Christmas. The Unvanquished developers announced Unvanquished Alpha 51 today as their first release in two years and eight months after having made fifty monthly alpha releases. While this is the fifty-first alpha, the developers say they should soon be ready for the beta drop.
  • Unvanquished, the free and open source shooter has a huge new release now out
    After being quiet for some time, the Unvanquished team is back and they have quite a lot to show off in the new release of their free and open source shooter. This is their first new release since April 2016, so the amount that's changed is quite striking! Hopefully, this will be the start of regular release once again, since they used to do monthly releases a few years ago and it was fun to watch it grow.
  • Valve adds even more gamepad support to their latest client beta
    Valve are continuing to support as many devices as possible with a new Steam client beta now available. Since there's no gamepad to rule them all, it makes sense for Valve to support as many as they can. Even though I love the Steam Controller, I do understand that it's not going to be a good fit for everyone. Now, Steam will support the PowerA wired/wireless GameCube Style controllers, PowerA Enhanced Wireless Controller and the PDP Faceoff Wired Pro Controller to boost their already rather large list of supported devices.
  • The turn-based tactical RPG Fell Seal: Arbiter's Mark is coming along nicely
    After a few months in Early Access, the tactical RPG Fell Seal: Arbiter's Mark has come along nicely and it's quite impressive. It became available on Steam back in August, this was with same-day Linux support as promised from developer 6 Eyes Studio after their successful Kickstarter.
  • Citra, the Nintendo 3DS emulator now has 'Accurate Audio Emulation'
    Citra, the impressive and quickly moving Nintendo 3DS emulator has a new progress report out and it sounds great. They've made some great progress on accurate audio emulation, with their new "LLE (Accurate)" option. They say this has enabled games like Pokémon X / Y, Fire Emblem Fates and Echoes and more to work. There's a downside though, that currently the performance does take quite a hit with it so they're still recommending the "HLE (Fast)" setting for now. They go into quite a lot of detail about how they got here, with plenty of bumps along the way. Most of the work towards this, was done by a single developer who suffered a bit of a burn-out over it.
  • Mindustry, an open source sandbox Tower Defense game that's a little like Factorio
    Available under the GPL, the developer originally made it for the GDL Metal Monstrosity Jam which happened back in 2017 and it ended up winning! Seems the developer didn't stop development after this, as they're currently going through a new major release with regular alpha builds.
  • Have graphical distortions in Unity games with NVIDIA? Here's a workaround
    It seems a lot of Unity games upgrading to later versions of Unity are suffering from graphical distortions on Linux with an NVIDIA GPU. There is a workaround available.

Wine-Staging 4.0-RC1 Released With Just Over 800 Patches On Top Of Wine

Released on Friday was Wine 4.0-RC1 while coming out over the weekend was the Wine-Staging re-base that is carrying still over 800 patches on top of the upstream Wine code-base. Wine-Staging 4.0-RC1 is available with 805 patches over what's found in the "vanilla" Wine code-base. But prior to the Wine 4.0 RC1 milestone there were a fair number of patches that were promoted upstream including ntoskrnl, WindowsCodecs, user32, and DXGI changes. Read more