Language Selection

English French German Italian Portuguese Spanish

Critical PGP Security Issue

Filed under
Security
  • Attention PGP Users: New Vulnerabilities Require You To Take Action Now

    A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

    The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

    Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

  • Disabling PGP in Thunderbird with Enigmail

Response from Werner Koch

Subject: Efail or OpenPGP is safer than S/MIME
Date: Mon, 14 May 2018 09:45:51 +0200
From: Werner Koch
To: gnupg-users@gnupg.org

Hi!

Some may have noticed that the EFF has warnings about the use of PGP out
which I consider pretty overblown. The GnuPG team was not contacted by
the researchers but I got access to version of the paper related to
KMail. It seems to be the complete paper with just the names of the
other MUAs redacted.

Given that the EFF suggests to deinstall GpgOL, we know tha it is not
vulnerable; see see https://dev.gnupg.org/T3714.).

Here is a response I wrote on the weekend to a reporter who inquired on
this problem.

=============
The topic of that paper is that HTML is used as a back channel to create
an oracle for modified encrypted mails. It is long known that HTML
mails and in particular external links like
are evil if the MUA actually honors them (which many meanwhile seem to
do again; see all these newsletters). Due to broken MIME parsers a
bunch of MUAs seem to concatenate decrypted HTML mime parts which makes
it easy to plant such HTML snippets.

There are two ways to mitigate this attack

- Don't use HTML mails. Or if you really need to read them use a
proper MIME parser and disallow any access to external links.

- Use authenticated encryption.

The latter is actually easy for OpenPGP because we started to use
authenticated encryption (AE) since 2000 or 2001. Our AE is called MDC
(Modification detection code) and was back then introduced for a very
similar attack. Unfortunately some OpenPGP implementations were late to
introduce MDC and thus GPG could not fail hard on receiving a mail
without an MDC. However, an error is returned during decrypting and no
MDC is used:

gpg: encrypted with 256-bit ECDH key, ID 7F3B7ED4319BCCA8, created 2017-01-01
"Werner Koch "
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_INFO 0 7
[GNUPG:] PLAINTEXT 62 1526109594 [GNUPG:] PLAINTEXT_LENGTH 69
There is more to life than increasing its speed.
-- Mahatma Gandhi
gpg: WARNING: message was not integrity protected
[GNUPG:] DECRYPTION_FAILED
[GNUPG:] END_DECRYPTION

When giving a filename on the command line an output file is even not
created. This can't be done in pipe mode because gpg allows to process
huge amounts of data. MUAs are advised to consider the DECRYPTION_FAILED
status code and not to show the data or at least use a proper way to
display the possible corrupted mail without creating an oracle and to
inform the user that the mail is fishy.

For S/MIME authenticated encryption is not used or implemented in
practice and thus there is no short term way to fix this in S/MIME
except for not using HTML mails.

The upshot of this is that OpenPGP messages are way better protected
against such kind of attacks than S/MIME messages. Unless, well, the
MUAs are correctly implemented and check error codes!

Shalom-Salam,

Werner

p.s.
Some cryptographers turn up their nose at the OpenPGP MDC which is an
ad-hoc AE mode from a time before AE received much research. However,
it does it job and protects reliable against this and other attacks.
The next OpenPGP revision will bring a real AE mode (EAX or OCB
depending on key preferences) which has other benefits (early detection
of corrupted messages, speed) but it will takes years before it will be
widely deployed and can can actually be used to create messages.

--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Alarmist articles

Subject: Re: [Enigmail] FYI disable enigmail now
Date: Mon, 14 May 2018 03:14:12 -0400
From: Robert J. Hansen
Reply-To: Enigmail user discussion list
To: enigmail-users@enigmail.net

We saw a preview of that paper. It's under embargo so it would be
inappropriate for us to comment on it until it's released. It was also
inappropriate for the EFF to comment on it. You can expect us to have
an official statement on it once the paper is published.

I will say this is a tempest in a teapot. Patrick, Werner, and I have
all seen it. We are not in the least bit worried. We wish the EFF had
reached out to us before running with an alarmist article.

tl;dr: as always, please use the latest Enigmail version, and do so with
confidence.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Open Source Skills Soar In Demand According to 2018 Jobs Report

Linux expertise is again in the top spot as the most sought after open source skill, says the latest Open Source Jobs Reportfrom Dice and The Linux Foundation. The seventh annual report shows rapidly growing demand for open source skills, particularly in areas of cloud technology. Read more

Graphics: Wayland, RadeonSI, NVIDIA and More

  • Session suspension and restoration protocol
  • A Session Suspension & Restoration Protocol Proposed For Wayland
    KDE Wayland developer Roman Gilg who started contributing to Wayland via last year's Google Summer of Code is proposing a new Wayland protocol for dealing with desktop session suspension and restoration. This protocol extension would allow for more efficient support for client session suspension and restoration such as when you are logging out of your desktop session and want the windows restored at next log-in or if you are suspending your system. While Roman Gilg is working on this protocol with his KDE hat on, he has been talking with Sway and GNOME developers too for ensuring this protocol could work out for their needs.
  • RadeonSI Lands OpenGL 3.3 Compatibility Profile Support
    Thanks to work done over the past few months by AMD's Marek Olšák on improving Mesa's OpenGL compatibility profile support and then today carried over the final mile by Valve's Timothy Arceri, Mesa 18.2 now exposes OpenGL 3.3 under the compatibility context. Hitting Git tonight is the enabling of the OpenGL 3.3 compatibility profile for RadeonSI.
  • NVIDIA Releases DALI Library & nvJPEG GPU-Accelerated Library For JPEG Decode
    For coinciding with the start of the Computer Vision and Patern Recognition conference starting this week in Utah, NVIDIA has a slew of new software announcements. First up NVIDIA has announced the open-source DALI library for GPU-accelerated data augmentation and image loading that is optimized for data pipelines of deep learning frameworks like ResNET-50, TensorFlow, and PyTorch.
  • NVIDIA & Valve Line Up Among The Sponsors For X.Org's XDC 2018
    - The initial list of sponsors have been announced for the annual X.Org Developers' Conference (XDC2018) where Wayland, Mesa, and the X.Org Server tend to dominate the discussions for improving the open-source/Linux desktop. This year's XDC conference is being hosted in A Coruña, Spain and taking place in September. The call for presentations is currently open for X.Org/mesa developers wishing to participate.
  • Intel Broxton To Support GVT-g With Linux 4.19
    Intel developers working on the GVT-g graphics virtualization technology have published their latest batch of Linux kernel driver changes.

Fedora and Red Hat: Fedora Atomic, Fedora 29, *GPL and Openwashing ('Open Organization')

  • Fedora Atomic Workstation To Be Renamed Fedora Silverblue
    - Back in early May was the announcement of the Silverblue project as an evolution of Fedora Atomic Workstation and trying to get this atomic OS into shape by Fedora 30. Beginning with Fedora 29, the plan is to officially rename Fedora Atomic Workstation to Fedora Silverblue. Silverblue isn't just a placeholder name, but they are moving ahead with the re-branding initiative around it. The latest Fedora 29 change proposal is to officially change the name of "Fedora Atomic Workstation" to "Fedora Silverblue".
  • Fedora 29 Will Cater i686 Package Builds For x86_64, Hide GRUB On Boot
    The Fedora Engineering and Steering Committee (FESCo) approved on Friday more of the proposed features for this fall's release of Fedora 29, including two of the more controversial proposals.
  • Total War: WARHAMMER II Coming to Linux, Red Hat Announces GPL Cooperation Commitment, Linspire 8.0 Alpha 1 Released and More
    Starting today, Red Hat announced that "all new Red Hat-initiated open source projects that opt to use GPLv2 or LGPLv2.1 will be expected to supplement the license with the cure commitment language of GPLv3". The announcement notes that this development is the latest in "an ongoing initiative within the open source community to promote predictability and stability in enforcement of GPL-family licenses".
  • Red Hat Launches Process Automation Manager 7, Brackets Editor Releases Version 1.13, Qt Announces New Patch Release and More
    Red Hat today launched Red Hat Process Automation Manager 7, which is "a comprehensive, cloud-native platform for developing business automation services and process-centric applications across hybrid cloud environments". This new release expands some key capabilities including cloud native application development, dynamic case management and low-code user experience. You can learn more and get started here.
  • A summer reading list for open organization enthusiasts
    The books on this year's open organization reading list crystallize so much of what makes "open" work: Honesty, authenticity, trust, and the courage to question those status quo arrangements that prevent us from achieving our potential by working powerfully together.

Server Domination by GNU/Linux

  • Security and Performance Help Mainframes Stand the Test of Time
    As of last year, the Linux operating system was running 90 percent of public cloud workloads; has 62 percent of the embedded market share and runs all of the supercomputers in the TOP500 list, according to The Linux Foundation Open Mainframe Project’s 2018 State of the Open Mainframe Survey report. Despite a perceived bias that mainframes are behemoths that are costly to run and unreliable, the findings also revealed that more than nine in 10 respondents have an overall positive attitude about mainframe computing. The project conducted the survey to better understand use of mainframes in general. “If you have this amazing technology, with literally the fastest commercial CPUs on the planet, what are some of the barriers?” said John Mertic, director of program management for the foundation and Open Mainframe Project. “The driver was, there wasn’t any hard data around trends on the mainframe.”
  • HPE announces world's largest ARM-based supercomputer
    The race to exascale speed is getting a little more interesting with the introduction of HPE's Astra -- what will be the world's largest ARM-based supercomputer. HPE is building Astra for Sandia National Laboratories and the US Department of Energy's National Nuclear Security Administration (NNSA). The NNSA will use the supercomputer to run advanced modeling and simulation workloads for things like national security, energy, science and health care.