Language Selection

English French German Italian Portuguese Spanish

Critical PGP Security Issue

Filed under
Security
  • Attention PGP Users: New Vulnerabilities Require You To Take Action Now

    A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

    The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

    Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

  • Disabling PGP in Thunderbird with Enigmail

Response from Werner Koch

Subject: Efail or OpenPGP is safer than S/MIME
Date: Mon, 14 May 2018 09:45:51 +0200
From: Werner Koch
To: gnupg-users@gnupg.org

Hi!

Some may have noticed that the EFF has warnings about the use of PGP out
which I consider pretty overblown. The GnuPG team was not contacted by
the researchers but I got access to version of the paper related to
KMail. It seems to be the complete paper with just the names of the
other MUAs redacted.

Given that the EFF suggests to deinstall GpgOL, we know tha it is not
vulnerable; see see https://dev.gnupg.org/T3714.).

Here is a response I wrote on the weekend to a reporter who inquired on
this problem.

=============
The topic of that paper is that HTML is used as a back channel to create
an oracle for modified encrypted mails. It is long known that HTML
mails and in particular external links like
are evil if the MUA actually honors them (which many meanwhile seem to
do again; see all these newsletters). Due to broken MIME parsers a
bunch of MUAs seem to concatenate decrypted HTML mime parts which makes
it easy to plant such HTML snippets.

There are two ways to mitigate this attack

- Don't use HTML mails. Or if you really need to read them use a
proper MIME parser and disallow any access to external links.

- Use authenticated encryption.

The latter is actually easy for OpenPGP because we started to use
authenticated encryption (AE) since 2000 or 2001. Our AE is called MDC
(Modification detection code) and was back then introduced for a very
similar attack. Unfortunately some OpenPGP implementations were late to
introduce MDC and thus GPG could not fail hard on receiving a mail
without an MDC. However, an error is returned during decrypting and no
MDC is used:

gpg: encrypted with 256-bit ECDH key, ID 7F3B7ED4319BCCA8, created 2017-01-01
"Werner Koch "
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_INFO 0 7
[GNUPG:] PLAINTEXT 62 1526109594 [GNUPG:] PLAINTEXT_LENGTH 69
There is more to life than increasing its speed.
-- Mahatma Gandhi
gpg: WARNING: message was not integrity protected
[GNUPG:] DECRYPTION_FAILED
[GNUPG:] END_DECRYPTION

When giving a filename on the command line an output file is even not
created. This can't be done in pipe mode because gpg allows to process
huge amounts of data. MUAs are advised to consider the DECRYPTION_FAILED
status code and not to show the data or at least use a proper way to
display the possible corrupted mail without creating an oracle and to
inform the user that the mail is fishy.

For S/MIME authenticated encryption is not used or implemented in
practice and thus there is no short term way to fix this in S/MIME
except for not using HTML mails.

The upshot of this is that OpenPGP messages are way better protected
against such kind of attacks than S/MIME messages. Unless, well, the
MUAs are correctly implemented and check error codes!

Shalom-Salam,

Werner

p.s.
Some cryptographers turn up their nose at the OpenPGP MDC which is an
ad-hoc AE mode from a time before AE received much research. However,
it does it job and protects reliable against this and other attacks.
The next OpenPGP revision will bring a real AE mode (EAX or OCB
depending on key preferences) which has other benefits (early detection
of corrupted messages, speed) but it will takes years before it will be
widely deployed and can can actually be used to create messages.

--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Alarmist articles

Subject: Re: [Enigmail] FYI disable enigmail now
Date: Mon, 14 May 2018 03:14:12 -0400
From: Robert J. Hansen
Reply-To: Enigmail user discussion list
To: enigmail-users@enigmail.net

We saw a preview of that paper. It's under embargo so it would be
inappropriate for us to comment on it until it's released. It was also
inappropriate for the EFF to comment on it. You can expect us to have
an official statement on it once the paper is published.

I will say this is a tempest in a teapot. Patrick, Werner, and I have
all seen it. We are not in the least bit worried. We wish the EFF had
reached out to us before running with an alarmist article.

tl;dr: as always, please use the latest Enigmail version, and do so with
confidence.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Tux Machines Privacy Statement

Summary: Today, May 25th, the European General Data Protection Regulation (GDPR) goes into full effect; we hereby make a statement on privacy AS a matter of strict principle, this site never has and never will accumulate data on visitors (e.g. access logs) for longer than 28 days. The servers are configured to permanently delete all access data after this period of time. No 'offline' copies are being made. Temporary logging is only required in case of DDOS attacks and cracking attempts -- the sole purpose of such access. Additionally, we never have and never will sell any data pertaining to anything. We never received demands for such data from authorities; even if we had, we would openly declare this (publicly, a la Canary) and decline to comply. Privacy is extremely important to us, which is why pages contain little or no cross-site channels (such as Google Analytics, 'interactive' buttons for 'social' media etc.) and won't be adding any. Google may be able to 'see' what pages people visit because of Google Translate (top left of every page), but that is not much worse than one's ISP 'seeing' the same thing. We are aware of this caveat. Shall readers have any further questions on such matters, do not hesitate to contact us.

today's leftovers

  • S11E12 – Twelve Years a Slave
    It’s Season 11 Episode 12 of the Ubuntu Podcast! Alan Pope, Mark Johnson and Martin Wimpress are connected and speaking to your brain.
  • Porting guide from Qt 1.0 to 5.11
    We do try to keep breakages to a minimum, even in the major releases, but the changes do add up. This raises the question: How hard would it be to port a Qt application from Qt 1.0 to 5.11?
  • Thunderbolt Networking on Linux
    Thunderbolt allows for peer-to-peer network connections by connecting two computers directly via a thunderbolt cable. Mika from Intel added support for this to the 4.15 kernel. Recently, Thomas Haller from NetworkManager and I worked together to figure out what needs to be done in userspace to make it work. As it turns out, it was not that hard and the pull-request was merged swiftly.
  • What’s new in openSUSE Leap 15 – part 1
    openSUSE Leap 15 will be released on the 25th of May 2018! A new openSUSE release is always an exciting event. This means that I get to play with all kinds of new and improved software packages. I am aware that I can simply install openSUSE Tumbleweed and have a new release 4 or 5 times a week. But when using openSUSE Tumbleweed some time ago, I noticed that I was installing Gigabytes of new software packages multiple times per week. The reason for that is that I have the complete opposite of a minimum install. I always install a lot of applications to play / experiment with (including a lot of open source games). I am using openSUSE since 2009 and it covers all of my needs and then some. I am already happy with the available software, so there is no real reason for me to move with the speed of a rolling release. Therefore I prefer to move with the slower pace of the Leap releases.
  • GNOME Terminal: a little something for Fedora 29
    Can you spot what that is?
  • UBports To Work On Unity 8 / Mir / Wayland After OTA-4
    The UBports team have put out their latest batch of answers to common questions around this project that's still working to maintain the Ubuntu Touch software stack. Among the project's recent work has included getting QtWebEngine working on Mir and before their Ubuntu 16.04 LTS based release they still need to figure out Chromium crashes and to resolve that as well as updating the browser. For their first release of UBports derived from Ubuntu 16.04 "Xenial" they are still going to rely upon Oxide while later on should migrate to a new browser.
  • 8 Best App Locks For Android To Secure Your Device In 2018
  • These Weeks in Firefox: Issue 39
  • What's Coming in OpenStack Rocky?
    The OpenStack Rocky release is currently scheduled to become generally available on August 30th, and it's expected to add a host of new and enhanced capabilities to the open-source cloud platform. At the OpenStack Summit here, Anne Bertucio, marketing manager at the OpenStack Foundation, and Pete Chadwick, director of product management at SUSE, outlined some of the features currently on the Rocky roadmap. Bertucio began the session by warning the audience that the roadmap is not prescriptive, but rather is intended to provide a general idea of the direction the next OpenStack release is taking.
  • PostgreSQL 11 Is Continuing With More Performance Improvements, JIT'ing
    PostgreSQL 11 is the next major feature release of this open-source database SQL server due out later in 2018. While it's not out yet, their release notes were recently updated for providing an overview of what's coming as part of this next major update. To little surprise, performance improvements remain a big focus for PostgreSQL 11 with various optimizations as well as continued parallelization work and also the recently introduced just-in-time (JIT) compilation support.
  • Tidelift Secures $15M in Series A Funding
    Tidelift, a Boston, MA-based open source software startup, secured $15m in Series A funding.
  • Tesla disclosed some of its autopilot source code after GPL violation
    Tesla, a technology company, and the independent automaker are well known for offering the safest, quickest electric cars. The company uses a lot of open source software to build its operating system and features, such as Linux Kernel, Buildroot, Busybox, QT, etc also they have always been taciturn about the finer details and tech of its popular artefacts, such as Model S, Model X, but now Elon Musk’s company has just released some of its automotive tech source code into the open source community.
  • Open Source Underwater Distributed Sensor Network
    One way to design an underwater monitoring device is to take inspiration from nature and emulate an underwater creature. [Michael Barton-Sweeney] is making devices in the shape of, and functioning somewhat like, clams for his open source underwater distributed sensor network.
  • Security Researchers Discover Two New Variants of the Spectre Vulnerability
  • Security updates for Thursday

today's howtos

Games and Wine: Hacknet - Deluxe, Full Metal Furies and More