Language Selection

English French German Italian Portuguese Spanish

Critical PGP Security Issue

Filed under
Security
  • Attention PGP Users: New Vulnerabilities Require You To Take Action Now

    A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

    The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

    Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

  • Disabling PGP in Thunderbird with Enigmail

Response from Werner Koch

Subject: Efail or OpenPGP is safer than S/MIME
Date: Mon, 14 May 2018 09:45:51 +0200
From: Werner Koch
To: gnupg-users@gnupg.org

Hi!

Some may have noticed that the EFF has warnings about the use of PGP out
which I consider pretty overblown. The GnuPG team was not contacted by
the researchers but I got access to version of the paper related to
KMail. It seems to be the complete paper with just the names of the
other MUAs redacted.

Given that the EFF suggests to deinstall GpgOL, we know tha it is not
vulnerable; see see https://dev.gnupg.org/T3714.).

Here is a response I wrote on the weekend to a reporter who inquired on
this problem.

=============
The topic of that paper is that HTML is used as a back channel to create
an oracle for modified encrypted mails. It is long known that HTML
mails and in particular external links like
are evil if the MUA actually honors them (which many meanwhile seem to
do again; see all these newsletters). Due to broken MIME parsers a
bunch of MUAs seem to concatenate decrypted HTML mime parts which makes
it easy to plant such HTML snippets.

There are two ways to mitigate this attack

- Don't use HTML mails. Or if you really need to read them use a
proper MIME parser and disallow any access to external links.

- Use authenticated encryption.

The latter is actually easy for OpenPGP because we started to use
authenticated encryption (AE) since 2000 or 2001. Our AE is called MDC
(Modification detection code) and was back then introduced for a very
similar attack. Unfortunately some OpenPGP implementations were late to
introduce MDC and thus GPG could not fail hard on receiving a mail
without an MDC. However, an error is returned during decrypting and no
MDC is used:

gpg: encrypted with 256-bit ECDH key, ID 7F3B7ED4319BCCA8, created 2017-01-01
"Werner Koch "
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_INFO 0 7
[GNUPG:] PLAINTEXT 62 1526109594 [GNUPG:] PLAINTEXT_LENGTH 69
There is more to life than increasing its speed.
-- Mahatma Gandhi
gpg: WARNING: message was not integrity protected
[GNUPG:] DECRYPTION_FAILED
[GNUPG:] END_DECRYPTION

When giving a filename on the command line an output file is even not
created. This can't be done in pipe mode because gpg allows to process
huge amounts of data. MUAs are advised to consider the DECRYPTION_FAILED
status code and not to show the data or at least use a proper way to
display the possible corrupted mail without creating an oracle and to
inform the user that the mail is fishy.

For S/MIME authenticated encryption is not used or implemented in
practice and thus there is no short term way to fix this in S/MIME
except for not using HTML mails.

The upshot of this is that OpenPGP messages are way better protected
against such kind of attacks than S/MIME messages. Unless, well, the
MUAs are correctly implemented and check error codes!

Shalom-Salam,

Werner

p.s.
Some cryptographers turn up their nose at the OpenPGP MDC which is an
ad-hoc AE mode from a time before AE received much research. However,
it does it job and protects reliable against this and other attacks.
The next OpenPGP revision will bring a real AE mode (EAX or OCB
depending on key preferences) which has other benefits (early detection
of corrupted messages, speed) but it will takes years before it will be
widely deployed and can can actually be used to create messages.

--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Alarmist articles

Subject: Re: [Enigmail] FYI disable enigmail now
Date: Mon, 14 May 2018 03:14:12 -0400
From: Robert J. Hansen
Reply-To: Enigmail user discussion list
To: enigmail-users@enigmail.net

We saw a preview of that paper. It's under embargo so it would be
inappropriate for us to comment on it until it's released. It was also
inappropriate for the EFF to comment on it. You can expect us to have
an official statement on it once the paper is published.

I will say this is a tempest in a teapot. Patrick, Werner, and I have
all seen it. We are not in the least bit worried. We wish the EFF had
reached out to us before running with an alarmist article.

tl;dr: as always, please use the latest Enigmail version, and do so with
confidence.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Security: Bo Weaver, New Scares, Clones With Malware

  • Bo Weaver on Cloud security, skills gap, and software development in 2019
    Bo Weaver, a Kali Linux expert shares his thoughts on the security landscape in the cloud. He also talks about the skills gap in the current industry and why hiring is a tedious process. He explains the pitfalls in software development and where the tech is heading currently. Bo, along with another Kali Linux expert Wolf Halton were also interviewed on why Kali Linux is the premier platform for testing and maintaining Windows security. They talked about advantages and disadvantages for using Kali Linux for pentesting. We also asked them about what they think about pentesting in cybersecurity, in general. They have also talked about their stance about the role of pentesting in cybersecurity in their interview titled, “Security experts, Wolf Halton and Bo Weaver, discuss pentesting and cybersecurity” [...] I laugh and cry at this term. I have a sticker on my laptop that says “There is no Cloud…. Only other people’s computers.” Your data is sitting on someone else’s system along with other people’s data. These other people also have access to this system. Sure security controls are in place but the security of “physical access” has been bypassed. You’re “in the box”. One layer of security is now gone. Also, your vendor has “FULL ACCESS” to your data in some cases. How can you be sure what is going on with your data when it is in an unknown box in an unknown data center? The first rule of security is “Trust No One”. Do you really trust Microsoft, Amazon, or Google? I sure don’t!!! Having your data physically out of your company’s control is not a good idea. Yes, it is cheaper but what are your company and its digital property worth? [...] In software development, I see a dumbing down of user interfaces. This may be good for my 6-year-old grandson, but someone like me may want more access to the system. I see developers change things just for the reason of “change”. Take Microsoft’s Ribbon in Office. Even after all these years, I find the ribbon confusing and hard to use. At least, with Libre Office, they give you a choice between a ribbon and an old school menu bar. The changes in Gnome 3 from Gnome 2. This dumbing down and attempting to make a desktop usable for a tablet and a mouse totally destroyed the usability of their desktop. What used to take 1 click now takes 4 clicks to do.
  • Security experts, Wolf Halton and Bo Weaver, discuss pentesting and cybersecurity [Interview]
  • Cloud security products uninstalled by mutating malware [Ed: Affects already-compromised servers]
    Linux is more prevalent than one might think, Microsoft Azure is now predominantly run on Linux servers - it's not just the Chinese cloud environments being hosted via Linux, it's likely that your business is running at least one cloud service on a Linux server too.
  • Google Play still has a clone problem in 2019 with no end in sight
    A fake app tries to clone another app in name, looks, and functionality, often also adding something like malware. Despite Google’s best efforts, both types of apps were fairly common in 2018.

Programming: GNU Binutils, Qt, Python, GStreamer, C++ and GTK+

  • GNU Binutils 2.32 Branched Ahead Of Release With New Features
    A new release of the GNU Binutils programming tools will soon be available. The upcoming Binutils 2.32 release is primarily made up of new CPU ports.  GNU Binutils 2.32 is bringing a MIPS port to the Loongson 2K1000 processor and the Loongson 3A1000/3A2000/3A3000 processors, all of which are based on the MIPS64r2 ISA but with different instruction set extensions. These new GPUs are exposed via -march=gs264e, -march=gs464, and -march=gs464e flags. With Binutils 2.32, the utilities like objdump and c++filt now have a maximum amount of recursion that is allowed while demangling strings with the current default being 2048. There is also a --no-recurse-limit for bypassing that limit. Objdump meanwhile allows --disassemble to specify a starting symbol for disassembly.
  • Building Qt apps with Travis CI and Docker
    I recently configured Travis CI to build Nanonote, my minimalist note-taking application. We use Jenkins a lot at work, and despite the fact that I dislike the tool itself, it has proven invaluable in helping us catch errors early. So I strongly believe in the values of Continuous Integration. When it comes to CI setup, I believe it is important to keep your distances with the tool you are using by keeping as much setup as possible in tool-agnostic scripts, versioned in your repository, and making the CI server use these scripts.
  • PyPI Security and Accessibility Q1 2019 Request for Proposals Update
    Earlier this year we launched a Request for Information (RFI) followed by the launch of a Request for Proposals (RFP) in November to fulfill a contract for the Open Technology Fund (OTF) Core Infrastructure Fund.  The initial deadline for our RFP was December 14th. We had hoped to begin work with the selected proposers in January 2019, but ultimately fell short of the ability to do so.
  • GStreamer 1.15.1 Released With Work On AV1, V4L HEVC Encode/Decode
    GStreamer 1.15.1 was announced on Friday as the first development release in the trek towards GStreamer 1.16 for this powerful open-source multimedia framework.
  • GStreamer 1.15.1 development release
    The GStreamer team is pleased to announce the first development release in the unstable 1.15 release series. The unstable 1.15 release series adds new features on top of the current stable 1.14 series and is part of the API and ABI-stable 1.x release series of the GStreamer multimedia framework. The unstable 1.15 release series is for testing and development purposes in the lead-up to the stable 1.16 series which is scheduled for release in a few weeks time. Any newly-added API can still change until that point, although it is rare for that to happen.
  • Is C++ fast?
    A library that I work on often these days, meshoptimizer, has changed over time to use fewer and fewer C++ library features, up until the current state where the code closely resembles C even though it uses some C++ features. There have been many reasons behind the changes - dropping C++11 requirement allowed me to make sure anybody can compile the library on any platform, removing std::vector substantially improved performance of unoptimized builds, removing algorithm includes sped up compilation. However, I’ve never quite taken the leap all the way to C with this codebase. Today we’ll explore the gamut of possible C++ implementations for one specific algorithm, mesh simplifier, henceforth known as simplifier.cpp, and see if going all the way to C is worthwhile.
  • Python Counters @PyDiff
  • Report: (clxi) stackoverflow python report
  • Regular Expressions in Python
  • Starting on a new map rendering library
    Currently in Maps, we use the libchamplain library to display the bitmap map titles (based on OpenStreetMap data and aerial photography) that we get from our tile provider, currently MapBox. This library is based on Clutter and used via the GTK+ embed support within libchamplain, which in turn makes use of the Clutter GTK embed support. Since this will not be supported when moving along to GTK+ 4.x and the Clutter library is not maintained anymore (besides the copy of it that is included in the GNOME Shell window manager/Wayland compositor, Mutter) eventually Maps will have to find a replacement. There's also some wonky bugs especially with regards to the mixing of event handling on the Clutter side vs. the GTK+ side. So to at least get the ball rolling a bit, I recently decided to see how hard it would be to take the code from libchamplain and keep the grotty deep-down internals dealing with tile downloading and caching and such and refocus the top-level parts onto new GTK+ 4 technologies such as the Snapshot, GSK (scene graph), and render node APIs.

today's howtos

LibreELEC (Leia) v8.95.3 BETA

LibreELEC 9.0 (Leia) Beta 3 has finally arrived after a long gestation period. Based upon Kodi v18 RC5.2, the 9.0 Beta 3 release contains many changes and refinements to user experience and a complete overhaul of the underlying OS core to improve stability and extend hardware support. Kodi v18 also brings new features like Kodi Retroplayer and DRM support that (equipped with an appropriate add-on) allows Kodi to unofficially stream content from services like Netflix and Amazon. Read more