Language Selection

English French German Italian Portuguese Spanish

Critical PGP Security Issue

Filed under
Security
  • Attention PGP Users: New Vulnerabilities Require You To Take Action Now

    A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

    The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

    Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

  • Disabling PGP in Thunderbird with Enigmail

Response from Werner Koch

Subject: Efail or OpenPGP is safer than S/MIME
Date: Mon, 14 May 2018 09:45:51 +0200
From: Werner Koch
To: gnupg-users@gnupg.org

Hi!

Some may have noticed that the EFF has warnings about the use of PGP out
which I consider pretty overblown. The GnuPG team was not contacted by
the researchers but I got access to version of the paper related to
KMail. It seems to be the complete paper with just the names of the
other MUAs redacted.

Given that the EFF suggests to deinstall GpgOL, we know tha it is not
vulnerable; see see https://dev.gnupg.org/T3714.).

Here is a response I wrote on the weekend to a reporter who inquired on
this problem.

=============
The topic of that paper is that HTML is used as a back channel to create
an oracle for modified encrypted mails. It is long known that HTML
mails and in particular external links like
are evil if the MUA actually honors them (which many meanwhile seem to
do again; see all these newsletters). Due to broken MIME parsers a
bunch of MUAs seem to concatenate decrypted HTML mime parts which makes
it easy to plant such HTML snippets.

There are two ways to mitigate this attack

- Don't use HTML mails. Or if you really need to read them use a
proper MIME parser and disallow any access to external links.

- Use authenticated encryption.

The latter is actually easy for OpenPGP because we started to use
authenticated encryption (AE) since 2000 or 2001. Our AE is called MDC
(Modification detection code) and was back then introduced for a very
similar attack. Unfortunately some OpenPGP implementations were late to
introduce MDC and thus GPG could not fail hard on receiving a mail
without an MDC. However, an error is returned during decrypting and no
MDC is used:

gpg: encrypted with 256-bit ECDH key, ID 7F3B7ED4319BCCA8, created 2017-01-01
"Werner Koch "
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_INFO 0 7
[GNUPG:] PLAINTEXT 62 1526109594 [GNUPG:] PLAINTEXT_LENGTH 69
There is more to life than increasing its speed.
-- Mahatma Gandhi
gpg: WARNING: message was not integrity protected
[GNUPG:] DECRYPTION_FAILED
[GNUPG:] END_DECRYPTION

When giving a filename on the command line an output file is even not
created. This can't be done in pipe mode because gpg allows to process
huge amounts of data. MUAs are advised to consider the DECRYPTION_FAILED
status code and not to show the data or at least use a proper way to
display the possible corrupted mail without creating an oracle and to
inform the user that the mail is fishy.

For S/MIME authenticated encryption is not used or implemented in
practice and thus there is no short term way to fix this in S/MIME
except for not using HTML mails.

The upshot of this is that OpenPGP messages are way better protected
against such kind of attacks than S/MIME messages. Unless, well, the
MUAs are correctly implemented and check error codes!

Shalom-Salam,

Werner

p.s.
Some cryptographers turn up their nose at the OpenPGP MDC which is an
ad-hoc AE mode from a time before AE received much research. However,
it does it job and protects reliable against this and other attacks.
The next OpenPGP revision will bring a real AE mode (EAX or OCB
depending on key preferences) which has other benefits (early detection
of corrupted messages, speed) but it will takes years before it will be
widely deployed and can can actually be used to create messages.

--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Alarmist articles

Subject: Re: [Enigmail] FYI disable enigmail now
Date: Mon, 14 May 2018 03:14:12 -0400
From: Robert J. Hansen
Reply-To: Enigmail user discussion list
To: enigmail-users@enigmail.net

We saw a preview of that paper. It's under embargo so it would be
inappropriate for us to comment on it until it's released. It was also
inappropriate for the EFF to comment on it. You can expect us to have
an official statement on it once the paper is published.

I will say this is a tempest in a teapot. Patrick, Werner, and I have
all seen it. We are not in the least bit worried. We wish the EFF had
reached out to us before running with an alarmist article.

tl;dr: as always, please use the latest Enigmail version, and do so with
confidence.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

7 Great XFCE Themes for Linux

Gnome might be the de-facto default desktop for many Linux distributions, but that doesn’t mean it’s everyone’s favorite. For many Linux users that distinction goes to XFCE. While it’s not as lightweight as it used to be, XFCE remains a favorite among users who want their desktop environment to stay out of their way. Just because you want a relatively minimal desktop doesn’t mean you want it to be ugly. Looking to spice up the look of your XFCE installation? You have plenty of options. Read more

Security: ASUS, Tesla and HackerOne

  • Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers
    Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the world’s largest computer makers, was used to unwittingly install a malicious backdoor on thousands of its customers’ computers last year after attackers compromised a server for the company’s live software update tool. The malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company, Kaspersky Lab says. ASUS, a multi-billion dollar computer hardware company based in Taiwan that manufactures desktop computers, laptops, mobile phones, smart home systems, and other electronics, was pushing the backdoor to customers for at least five months last year before it was discovered, according to new research from the Moscow-based security firm. The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines. Kaspersky Lab said it uncovered the attack in January after adding a new supply-chain detection technology to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. The company plans to release a full technical paper and presentation about the ASUS attack, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore. In the meantime, Kaspersky has published some of the technical details on its website.
  • Hackers break into the Tesla car web browser to win a Model 3
  • Sonatype and HackerOne partner on open source vulnerability reporting

Games: Overland, Lutris, Dead Cells and Fossilize

  • The impressive squad-based survival strategy game Overland to release this autumn
    Overland from Finji is a beautiful looking and impressive squad-based strategy game and they've now announced a release window.
  • The open source game manager Lutris had another sweet update recently
    What's that, too many launchers or no easy way to manage GOG games on Linux? Lutris might solve this problem for you. Giving you the ability to install and manage games from Steam, GOG, Humble Store, Emulators and more it's a pretty handy application to keep around. This latest release is mostly improving on existing features like downloading the default Wine version when not already available, preventing duplicated entries when importing games from a 3rd party, one search bar to rule them all, improved log handling performance, using your discrete GPU by default on compatible systems and more.
  • Dead Cells - Rise of the Giant free DLC to release this week, over 1 million copies sold
    Ready for just one more run? The Dead Cells - Rise of the Giant free DLC is releasing this week (March 28th) as Motion Twin celebrate good sales. The developer spoke at GDC and they went on to mention that Dead Cells has now officially sold over 1 million copies! Around 60% of that was on PC too, so the indie market for good games is still alive and well by the looks of it.
  • Fossilize Is Valve's Latest Open-Source Vulkan Project
    Valve Software has been backing work on Fossilize as an open-source project providing a serialization format for persistent Vulkan object types. Valve has been backing Hans-Kristian Arntzen to work on this Vulkan project while it has also seen commits by their in-house Vulkan guru Dan Ginsburg. The Fossilize library and Vulkan layer is intended so these persistent Vulkan persistent object types can be backed by the pipeline cache, a Vulkan layer to capture the cache, and the ability to replay the cache on different devices without having to run the application itself.

Graphics: Wayland and Vulkan

  • Canonical Reportedly Not Planning To Enable Wayland-By-Default For Ubuntu 20.04 LTS
    Since the short-lived Ubuntu 17.10 GNOME + Wayland experience, the Ubuntu desktop has still been using the trusted X.Org Server session by default. While Ubuntu 19.04 will soon be shipping and the Ubuntu 19.10 development cycle then getting underway, don't look for any Wayland-by-default change to be around the corner. Twice in the past week I've received communication from two indicating that Canonical reportedly isn't planning on enabling Wayland-by-default for Ubuntu 20.04 LTS. If Canonical were planning to go ahead with Wayland used by default, they would need to make the change for Ubuntu 19.10 as is customary for them to make large changes in the LTS-release-1 version in order to facilitate more widespread testing ahead of the Long Term Support cycle. But Canonical engineers feel that the Wayland support isn't mature enough to enable in the next year for Ubuntu 20.04 LTS.
  • Vulkan Working To Expose Video Encode/Decode, Machine Learning
    During this week's Game Developers Conference was the usual Khronos Dev Day where Vulkan, WebGL, glTF, and OpenXR took center stage. During the Vulkan State of the Union some details on their future endeavors were covered. Among some of the larger efforts that are "in flight" are improving the portability of Vulkan to closed platforms without native drivers (MoltenVK, etc), continuing to work on ray-tracing (complementing the existing VK_NV_ray_tracing), exposing video encode/decode through Vulkan, exposing machine learning capabilities, and the separate effort on safety critical Vulkan.