Language Selection

English French German Italian Portuguese Spanish

Critical PGP Security Issue

Filed under
Security
  • Attention PGP Users: New Vulnerabilities Require You To Take Action Now

    A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

    The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

    Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

  • Disabling PGP in Thunderbird with Enigmail

Response from Werner Koch

Subject: Efail or OpenPGP is safer than S/MIME
Date: Mon, 14 May 2018 09:45:51 +0200
From: Werner Koch
To: gnupg-users@gnupg.org

Hi!

Some may have noticed that the EFF has warnings about the use of PGP out
which I consider pretty overblown. The GnuPG team was not contacted by
the researchers but I got access to version of the paper related to
KMail. It seems to be the complete paper with just the names of the
other MUAs redacted.

Given that the EFF suggests to deinstall GpgOL, we know tha it is not
vulnerable; see see https://dev.gnupg.org/T3714.).

Here is a response I wrote on the weekend to a reporter who inquired on
this problem.

=============
The topic of that paper is that HTML is used as a back channel to create
an oracle for modified encrypted mails. It is long known that HTML
mails and in particular external links like
are evil if the MUA actually honors them (which many meanwhile seem to
do again; see all these newsletters). Due to broken MIME parsers a
bunch of MUAs seem to concatenate decrypted HTML mime parts which makes
it easy to plant such HTML snippets.

There are two ways to mitigate this attack

- Don't use HTML mails. Or if you really need to read them use a
proper MIME parser and disallow any access to external links.

- Use authenticated encryption.

The latter is actually easy for OpenPGP because we started to use
authenticated encryption (AE) since 2000 or 2001. Our AE is called MDC
(Modification detection code) and was back then introduced for a very
similar attack. Unfortunately some OpenPGP implementations were late to
introduce MDC and thus GPG could not fail hard on receiving a mail
without an MDC. However, an error is returned during decrypting and no
MDC is used:

gpg: encrypted with 256-bit ECDH key, ID 7F3B7ED4319BCCA8, created 2017-01-01
"Werner Koch "
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_INFO 0 7
[GNUPG:] PLAINTEXT 62 1526109594 [GNUPG:] PLAINTEXT_LENGTH 69
There is more to life than increasing its speed.
-- Mahatma Gandhi
gpg: WARNING: message was not integrity protected
[GNUPG:] DECRYPTION_FAILED
[GNUPG:] END_DECRYPTION

When giving a filename on the command line an output file is even not
created. This can't be done in pipe mode because gpg allows to process
huge amounts of data. MUAs are advised to consider the DECRYPTION_FAILED
status code and not to show the data or at least use a proper way to
display the possible corrupted mail without creating an oracle and to
inform the user that the mail is fishy.

For S/MIME authenticated encryption is not used or implemented in
practice and thus there is no short term way to fix this in S/MIME
except for not using HTML mails.

The upshot of this is that OpenPGP messages are way better protected
against such kind of attacks than S/MIME messages. Unless, well, the
MUAs are correctly implemented and check error codes!

Shalom-Salam,

Werner

p.s.
Some cryptographers turn up their nose at the OpenPGP MDC which is an
ad-hoc AE mode from a time before AE received much research. However,
it does it job and protects reliable against this and other attacks.
The next OpenPGP revision will bring a real AE mode (EAX or OCB
depending on key preferences) which has other benefits (early detection
of corrupted messages, speed) but it will takes years before it will be
widely deployed and can can actually be used to create messages.

--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Alarmist articles

Subject: Re: [Enigmail] FYI disable enigmail now
Date: Mon, 14 May 2018 03:14:12 -0400
From: Robert J. Hansen
Reply-To: Enigmail user discussion list
To: enigmail-users@enigmail.net

We saw a preview of that paper. It's under embargo so it would be
inappropriate for us to comment on it until it's released. It was also
inappropriate for the EFF to comment on it. You can expect us to have
an official statement on it once the paper is published.

I will say this is a tempest in a teapot. Patrick, Werner, and I have
all seen it. We are not in the least bit worried. We wish the EFF had
reached out to us before running with an alarmist article.

tl;dr: as always, please use the latest Enigmail version, and do so with
confidence.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Fedora 29 Is Blocked From Release Due To 11 Open Bugs

Fedora 29 will not be managing to deliver its final release right on time due to lingering blocker bugs. At the first Fedora 29 Final meeting today it was declared a No-Go for releasing next week on 23 October as had been planned. Read more

Keynotes announced for LibrePlanet 2019 free software conference

Ubuntu: Infographic, New Releases, Ubuntu Podcast and Statistics

  • Infographic: Snaps in numbers
    Coinciding with the release of Ubuntu 18.10 today, we have celebrated the exceptional adoption of snaps by sharing the infographic below. From popular snaps to daily installs, this infographic demonstrates where, when and why users are installing and adopting the secure, Linux application format. For more commentary around these numbers, check out this recent blog. Alternatively, start installing your chosen snaps.
  • Ubuntu 18.10:Multi-cloud,new desktop theme & enhanced snap integration
    Canonical today announced the release of Ubuntu 18.10, focused on multi-cloud deployments, AI software development, a new community desktop theme and richer snap desktop integration. “Ubuntu is now the world’s reference platform for AI engineering and analytics” said Mark Shuttleworth, CEO of Canonical. “We accelerate developer productivity and help enterprises operate at speed and at scale, across multiple clouds and diverse edge appliances.” This year, the financial services industry has engaged significantly with Canonical and Ubuntu for infrastructure efficiency on-premise and to accelerate their move to the cloud. The push for machine learning analytics and of fintech efforts around blockchain, distributed ledger applications and cryptocurrencies are current drivers of Ubuntu investments and deployments.
  • Ubuntu Studio 18.10 Released
    The Ubuntu Studio team is pleased to announce the release of Ubuntu Studio 18.10 “Cosmic Cuttlefish”. As a regular release, this version of Ubuntu Studio will be supported for 9 months. Since it’s just out, you may experience some issues, so you might want to wait a bit before upgrading. Please see the release notes for a complete list of changes and known issues.
  • Ubuntu MATE: Ubuntu MATE 18.10 Final Release
    Ubuntu MATE 18.10 is a modest, yet strategic, upgrade over our 18.04 release. If you want bug fixes and improved hardware support then 18.10 is for you. For those who prefer staying on the LTS then everything in this 18.10 release is also important for the upcoming 18.04.2 release. Oh yeah, we've also made a bespoke Ubuntu MATE 18.10 image for the GPD Pocket and GPD Pocket 2.
  • Ubuntu Podcast from the UK LoCo: S11E32 – Thirty-Two Going on Spinster
    This week we interview Daniel Foré about the final release of elementary 5.0 (Juno), bring you some Android love and go over all your feedback. It’s Season 11 Episode 32 of the Ubuntu Podcast! Alan Pope and Martin Wimpress are connected and speaking to your brain.
  • Canonical have released some statistics from the Ubuntu installer survey
    When installing Ubuntu 18.04, Canonical's installer will offer to send some statistics to them. Canonical have now released some of this. One thing to note, is that this data does not include Ubuntu Server, Ubuntu Core, cloud images or and any other Ubuntu derivatives that don't include the report in their own installer. They've had some good results from it, with 66% of people sending them their data. It's a nice start, but I think they really need to do some separation of physical and virtual machines, since it seems they're merged together which will skew a bunch of the data I would imagine.

Linux-driven embedded PCs target autonomous cars

Kontron announced two Ubuntu-driven computers for autonomous vehicles. The S2000 is a lab dev platform with a Xeon 8160T and the EvoTRAC S1901 offers a choice of Kontron modules including a new Atom C3000 based, Type 7 COMe-bDV7R. Kontron has launched a Kontron’s S2000 Development Platform for developing autonomous in-vehicle computers and is prepping an EvoTRAC S1901 in-vehicle PC for use in advanced automotive applications, including autonomous vehicles. Both systems ship with Intel processors running a pre-installed Ubuntu 16.04 LTS Linux stack. The systems follow earlier Kontron automotive computers such as the EvoTrac G102 in-vehicle cellular gateway. Read more