Language Selection

English French German Italian Portuguese Spanish

Critical PGP Security Issue

Filed under
Security
  • Attention PGP Users: New Vulnerabilities Require You To Take Action Now

    A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

    The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

    Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

  • Disabling PGP in Thunderbird with Enigmail

Response from Werner Koch

Subject: Efail or OpenPGP is safer than S/MIME
Date: Mon, 14 May 2018 09:45:51 +0200
From: Werner Koch
To: gnupg-users@gnupg.org

Hi!

Some may have noticed that the EFF has warnings about the use of PGP out
which I consider pretty overblown. The GnuPG team was not contacted by
the researchers but I got access to version of the paper related to
KMail. It seems to be the complete paper with just the names of the
other MUAs redacted.

Given that the EFF suggests to deinstall GpgOL, we know tha it is not
vulnerable; see see https://dev.gnupg.org/T3714.).

Here is a response I wrote on the weekend to a reporter who inquired on
this problem.

=============
The topic of that paper is that HTML is used as a back channel to create
an oracle for modified encrypted mails. It is long known that HTML
mails and in particular external links like
are evil if the MUA actually honors them (which many meanwhile seem to
do again; see all these newsletters). Due to broken MIME parsers a
bunch of MUAs seem to concatenate decrypted HTML mime parts which makes
it easy to plant such HTML snippets.

There are two ways to mitigate this attack

- Don't use HTML mails. Or if you really need to read them use a
proper MIME parser and disallow any access to external links.

- Use authenticated encryption.

The latter is actually easy for OpenPGP because we started to use
authenticated encryption (AE) since 2000 or 2001. Our AE is called MDC
(Modification detection code) and was back then introduced for a very
similar attack. Unfortunately some OpenPGP implementations were late to
introduce MDC and thus GPG could not fail hard on receiving a mail
without an MDC. However, an error is returned during decrypting and no
MDC is used:

gpg: encrypted with 256-bit ECDH key, ID 7F3B7ED4319BCCA8, created 2017-01-01
"Werner Koch "
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_INFO 0 7
[GNUPG:] PLAINTEXT 62 1526109594 [GNUPG:] PLAINTEXT_LENGTH 69
There is more to life than increasing its speed.
-- Mahatma Gandhi
gpg: WARNING: message was not integrity protected
[GNUPG:] DECRYPTION_FAILED
[GNUPG:] END_DECRYPTION

When giving a filename on the command line an output file is even not
created. This can't be done in pipe mode because gpg allows to process
huge amounts of data. MUAs are advised to consider the DECRYPTION_FAILED
status code and not to show the data or at least use a proper way to
display the possible corrupted mail without creating an oracle and to
inform the user that the mail is fishy.

For S/MIME authenticated encryption is not used or implemented in
practice and thus there is no short term way to fix this in S/MIME
except for not using HTML mails.

The upshot of this is that OpenPGP messages are way better protected
against such kind of attacks than S/MIME messages. Unless, well, the
MUAs are correctly implemented and check error codes!

Shalom-Salam,

Werner

p.s.
Some cryptographers turn up their nose at the OpenPGP MDC which is an
ad-hoc AE mode from a time before AE received much research. However,
it does it job and protects reliable against this and other attacks.
The next OpenPGP revision will bring a real AE mode (EAX or OCB
depending on key preferences) which has other benefits (early detection
of corrupted messages, speed) but it will takes years before it will be
widely deployed and can can actually be used to create messages.

--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Alarmist articles

Subject: Re: [Enigmail] FYI disable enigmail now
Date: Mon, 14 May 2018 03:14:12 -0400
From: Robert J. Hansen
Reply-To: Enigmail user discussion list
To: enigmail-users@enigmail.net

We saw a preview of that paper. It's under embargo so it would be
inappropriate for us to comment on it until it's released. It was also
inappropriate for the EFF to comment on it. You can expect us to have
an official statement on it once the paper is published.

I will say this is a tempest in a teapot. Patrick, Werner, and I have
all seen it. We are not in the least bit worried. We wish the EFF had
reached out to us before running with an alarmist article.

tl;dr: as always, please use the latest Enigmail version, and do so with
confidence.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Leftovers: GNOME/GTK, Android-x86, Fedora, LibreOffice and More

  • g_array_steal() and g_ptr_array_steal() in GLib 2.63.1

    Another set of new APIs in the upcoming GLib 2.63.1 release allow you to steal all the contents of a GArray, GPtrArray or GByteArray, and continue using the array container to add more contents to in future. This is work by Paolo Bonzini and Emmanuel Fleury, and will be available in the soon-to-be-released 2.63.1 release.

  • GNOME Shell Hackfest 2019

    This week, I have attended the GNOME Shell Hackfest 2019 held in Leidschendam, The Netherlands. It was a fantastic event, in a fantastic city! The list of attendees was composed of key members of the community, so we managed to get a lot done — a high amount of achievements for only three days of hackfest, in fact.

  • Android-x86: Run Android on your PC: Release Note 7.1-r3

    The Android-x86 project is glad to announce the release of 7.1-r3. This is the third stable release for Android-x86 7.1 (nougat-x86). The prebuilt images are available in the following site as usual: https://www.fosshub.com/Android-x86-old.html https://osdn.net/rel/android-x86/Release%207.1 Key Features The 7.1-r3 is mainly a bugfixes release of 7.1-r2. It based on Android 7.1.2 Nougat MR2 security updates (android-7.1.2_r39). Some newer features are also back-ported from 8.1 release. We encourage users of 7.1-r2 or older release upgrade to this release.

  • David Cantrell: rpminspect-0.8 released (and a new rpminspect-data-fedora)

    Work on the test suite continues with rpminspect and it is finding a lot of corner-case type runtime scenarios. Fixing those up in the code is nice. I welcome contributions to the test suite. You can look at the tests/test_*.py files to see what I'm doing and then work through one inspection and do the different types of checks. Look in the lib/inspect_NAME.c file and for all of the add_result() calls to figure out what tests should exist in the test suite. If this is confusing, feel free to reach out via email or another means and I can provide you with a list for an inspection.

  • Fedora Community Blog: FPgM report: 2019-42

    Here’s your report of what has happened in Fedora Program Management this week. Fedora 31 was declared No-Go. We are currently under the Final freeze. I have weekly office hours in #fedora-meeting-1. Drop by if you have any questions or comments about the schedule, Changes, elections, or anything else.

  • New Feature in Libreoffice: Full-Sheet Previews

    The feature was developed on the cp-6.2 branch of LibreOffice code-base (which is basicly Collabora Office 6.2), and is already available in Collabora Office snaphots. And is being backported to LibreOffice master, so it will be also available in LibreOffice development builds and soon in the Collabora Office snapshots.

  • Rooting for ZFS | TechSNAP 414

    We dive into Ubuntu 19.10’s experimental ZFS installer and share our tips for making the most of ZFS on root. Plus why you may want to skip Nest Wifi, and our latest explorations of long range wireless protocols.

  • 2019-10-18 | Linux Headlines

    Researchers discover a kernel bug that can crash Linux devices, Fedora 31’s release date slips, Cedalo opens up its Streamsheets code, Google announces the Android NDK 21 beta, and Unix turns 50.

  • Google Launches A Refreshed Pixelbook Laptop At $649

    Say hello to a more affordable Chromebook that's lightweight and more fun to type on.

Proprietary Software, Games, Patent Traps/Tax and Openwashing

  • Adobe Announces Plan To Essentially Steal Money From Venezuelans Because It 'Has To' Due To US Sanctions

    Adobe has long had a history of questionable behavior, when it comes to the rights of its customers, and how the public is informed on all things Adobe. With the constant hammering on the concept that software it sells is licensed rather than purchased, not to mention with the move to more SaaS and cloud-based software, the company is, frankly, one of the pack leaders in consumers not actually owning what they bought.

  • Fantasy tactical RPG Wildermyth blends a mix of hand-painted 2D and 3D art & arrives on Steam soon

    With character art during the turn-based battles that look like paper cutouts in a 3D environment, Wildermyth certainly has a strange and lovely charm to it. Currently available on itch.io where users have been testing it for some time, Worldwalker Games have now announced that their character-driven tactical RPG will enter Early Access on Steam on November 13. In Wildermyth, your party will be tasked with defending the lands from various threats, switching between the turn-based combat and making decisions on the over-world map. It has choice-based comic-styled events, which can end up changing your heroes' appearance, personalities, relationships, and abilities.

  • Paragon Looks To Upstream Their Microsoft exFAT Driver For The Linux Kernel

    With the upcoming Linux 5.4 kernel release there is now an exFAT file-system driver based on an old Samsung code drop of their exFAT driver support for mobile devices. This comes after Microsoft made the exFAT specification public recently and gave their blessing for a native Linux driver for the file-system. The Linux developers acknowledge though the current exFAT code is "horrible" and a "pile of crap" but is within the staging area. So in Linux 5.4's staging is this preliminary read-write driver for exFAT that continues to be cleaned up and further improved upon. Meanwhile there is also another out-of-tree exFAT Linux driver based on Samsung's sdFAT code that is said to be in better shape than the mainline code. But now there's another option with Paragon Software wanting to upstream their own exFAT driver into the Linux kernel.

  • VMware’s Joe Beda: Enterprise Open Source Is Growing [Ed: “Enterprise Open Source” means proprietary software and openwashing for marketing purposes]

    One of the fathers of Kubernetes says enterprise customers see the most benefit from the community-driven approach because their users get the opportunity to influence the direction development takes.

Linux Devices/Open Hardware

  • Site.js and Pi

    Chatting about Pi, on a Pi, with a chat server running on Site.js on the same Pi.

  • This MicroATX Motherboard is Based on Phytium FT2000/4 Arm Desktop SoC @ 3.0 GHz
  • Rikomagic R6 Review – Part 1: Android Mini Projector’s Unboxing and First Boot

    Rikomagic R6 is a mini Android projector that looks like a vintage radio, or depending on your point of view a mini vintage television.

  • Brief on Behalf of Amicus Curiae Open Source Hardware Association in Curver Luxembourg, SARL v. Home Expressions Inc., No. 18-2214 (Fed. Cir.)

    Curver Luxembourg, SARL v. Home Expressions Inc. is a case of first impression for the Court of Appeals for the Federal Circuit. The question on appeal is whether a design patent’s scope is tied to the article of manufacture disclosed in the patent. In this amicus brief, the Open Source Hardware Association (“OSHWA”) explains the potential effects on open source hardware development, and design practice generally, of untethering design patent protection from the article of manufacture disclosed in the patent. A large percentage of open-source hardware combines both ornamental and functional elements, and industrial design routinely involves applying design concepts from disparate fields in novel ways. To engage in this practice, open-source hardware designers need to know the universe of available source material and its limits. Further, understanding the licensing requirements of open-source hardware begins with understanding how the elements that make up that hardware may or may not be protected by existing law. Accordingly, while many creators of open-source hardware do not seek patent protection for their own creations, an understandable scope of design patent protection is nonetheless essential to their ability to collaborate with other innovators and innovate lawfully. The brief argues that the District Court in the case—and every district court that has considered the issue—correctly anchored the patented design to the article of manufacture when construing the patent. The brief explains that anchoring the patented design to the disclosed article of manufacture is the best approach, for several reasons. Connecting the patented design to the disclosed article of manufacture calibrates the scope of design patent protection to the patentee’s contribution over the prior art. It avoids encumbering the novel and nonobvious application of prior designs to new articles of manufacture, a fundamental and inventive practice of industrial design. It aligns the scope of design patent protection with its purpose: encouraging the inventive application of a design to an article of manufacture. This balances protection for innovative designs with later innovators’ interest in developing future designs. Finally, anchoring the patented design to the disclosed article of manufacture helps fulfill design patent law’s notice function by clarifying the scope of protection.

Graphics: Gallium3D and AMDGPU

  • Gallium3D's Mesa State Tracker Sees "Mega Cleanup" For NIR In Mesa 19.3

    AMD developer Marek Olšák has landed a "mega cleanup" to the Gallium3D Mesa state tracker code around its NIR intermediate representation handling. As part of getting the NIR support in good enough shape for default usage by the RadeonSI driver, Marek has been working on a number of clean-ups involving the common Gallium / Mesa state tracker code for NIR.

  • AMDGPU DC Looks To Have PSR Squared Away - Power-Savings For Newer AMD Laptops

    It looks like as soon as Linux 5.5 is where the AMDGPU kernel driver could be ready with Panel Self Refresh (PSR) support for enabling this power-savings feature on newer AMD laptops. While Intel's Linux driver stack has been supporting Panel Self Refresh for years, the AMD support in their open-source Linux driver code has been a long time coming. We've seen them working towards the support since Raven Ridge and now it appears the groundwork has been laid and they are ready to flip it on within the Display Core "DC" code.