Language Selection

English French German Italian Portuguese Spanish

Critical PGP Security Issue

Filed under
Security
  • Attention PGP Users: New Vulnerabilities Require You To Take Action Now

    A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

    The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

    Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

  • Disabling PGP in Thunderbird with Enigmail

Response from Werner Koch

Subject: Efail or OpenPGP is safer than S/MIME
Date: Mon, 14 May 2018 09:45:51 +0200
From: Werner Koch
To: gnupg-users@gnupg.org

Hi!

Some may have noticed that the EFF has warnings about the use of PGP out
which I consider pretty overblown. The GnuPG team was not contacted by
the researchers but I got access to version of the paper related to
KMail. It seems to be the complete paper with just the names of the
other MUAs redacted.

Given that the EFF suggests to deinstall GpgOL, we know tha it is not
vulnerable; see see https://dev.gnupg.org/T3714.).

Here is a response I wrote on the weekend to a reporter who inquired on
this problem.

=============
The topic of that paper is that HTML is used as a back channel to create
an oracle for modified encrypted mails. It is long known that HTML
mails and in particular external links like
are evil if the MUA actually honors them (which many meanwhile seem to
do again; see all these newsletters). Due to broken MIME parsers a
bunch of MUAs seem to concatenate decrypted HTML mime parts which makes
it easy to plant such HTML snippets.

There are two ways to mitigate this attack

- Don't use HTML mails. Or if you really need to read them use a
proper MIME parser and disallow any access to external links.

- Use authenticated encryption.

The latter is actually easy for OpenPGP because we started to use
authenticated encryption (AE) since 2000 or 2001. Our AE is called MDC
(Modification detection code) and was back then introduced for a very
similar attack. Unfortunately some OpenPGP implementations were late to
introduce MDC and thus GPG could not fail hard on receiving a mail
without an MDC. However, an error is returned during decrypting and no
MDC is used:

gpg: encrypted with 256-bit ECDH key, ID 7F3B7ED4319BCCA8, created 2017-01-01
"Werner Koch "
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_INFO 0 7
[GNUPG:] PLAINTEXT 62 1526109594 [GNUPG:] PLAINTEXT_LENGTH 69
There is more to life than increasing its speed.
-- Mahatma Gandhi
gpg: WARNING: message was not integrity protected
[GNUPG:] DECRYPTION_FAILED
[GNUPG:] END_DECRYPTION

When giving a filename on the command line an output file is even not
created. This can't be done in pipe mode because gpg allows to process
huge amounts of data. MUAs are advised to consider the DECRYPTION_FAILED
status code and not to show the data or at least use a proper way to
display the possible corrupted mail without creating an oracle and to
inform the user that the mail is fishy.

For S/MIME authenticated encryption is not used or implemented in
practice and thus there is no short term way to fix this in S/MIME
except for not using HTML mails.

The upshot of this is that OpenPGP messages are way better protected
against such kind of attacks than S/MIME messages. Unless, well, the
MUAs are correctly implemented and check error codes!

Shalom-Salam,

Werner

p.s.
Some cryptographers turn up their nose at the OpenPGP MDC which is an
ad-hoc AE mode from a time before AE received much research. However,
it does it job and protects reliable against this and other attacks.
The next OpenPGP revision will bring a real AE mode (EAX or OCB
depending on key preferences) which has other benefits (early detection
of corrupted messages, speed) but it will takes years before it will be
widely deployed and can can actually be used to create messages.

--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Alarmist articles

Subject: Re: [Enigmail] FYI disable enigmail now
Date: Mon, 14 May 2018 03:14:12 -0400
From: Robert J. Hansen
Reply-To: Enigmail user discussion list
To: enigmail-users@enigmail.net

We saw a preview of that paper. It's under embargo so it would be
inappropriate for us to comment on it until it's released. It was also
inappropriate for the EFF to comment on it. You can expect us to have
an official statement on it once the paper is published.

I will say this is a tempest in a teapot. Patrick, Werner, and I have
all seen it. We are not in the least bit worried. We wish the EFF had
reached out to us before running with an alarmist article.

tl;dr: as always, please use the latest Enigmail version, and do so with
confidence.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

OSS Leftovers

  • Uber Open Sources Its Large Scale Metrics Platform M3
    Uber's engineering team released its metrics platform M3, which it has been using internally for some years, as open source. The platform was built to replace its Graphite based system, and provides cluster management, aggregation, collection, storage management, a distributed time series database (TSDB) and a query engine with its own query language M3QL. [...] M3's query engine provides a single global view of all metrics without cross region replication. Metrics are written to local regional M3DB instances and replication is local to a region. Queries go to both the regional local instances as well as to coordinators in remote regions where metrics are stored. The results are aggregated locally, and future work is planned wherein  any query aggregation would happen at the remote coordinators.
  • SD Times Open-Source Project of the Week: Dev.to
    This week’s highlighted project comes courtesy of a community of developers who hope that their codebase will be used to foster communities like theirs, focused on education and collaboration among peers of any skill level. Dev.to’s codebase is open-source as of last week week and the community-building platform’s developers think that further community involvement in development will lead to great things. [...] Halpern made sure to clarify in the post that this release is not simply a library for creating the types of community-driven communication platforms that dev.to embodies, but the for-profit company’s entire codebase. “However, that is a perfectly valid use case in the future,” Halpern wrote in a post leading up to the release. “If you are interested in contributing such that we can eventually help people stand up their own version of this platform for their own business or society, we’ll definitely welcome that input.” The platform is a Ruby on Rails app with a Preact front-end. The company is hard at work on native apps for iOS and Android but say its technology choices are fluid.
  • RLS 1.0 release candidate
    The current version of the Rust Language Server (RLS), 0.130.5, is the first 1.0 release candidate. It is available on nightly and beta channels, and from the 3rd September will be available with stable Rust. 1.0 for the RLS is a somewhat arbitrary milestone. We think the RLS can handle most small and medium size projects (notable, it doesn't work with Rust itself, but that is large and has a very complex build system), and we think it is release quality. However there are certainly limitations and many planned improvements. It would be really useful if you could help us test the release candidate! Please report any crashes, or projects where the RLS gives no information or any bugs where it gives incorrect information.
  • Mozilla brings back Stylish Add-on to Firefox after it was Banned Last Year
    The Stylish add-on, with which you can give websites their very own style, is back for Firefox. This improvement has been welcomed by many users. The history of this Add-on is quite complicated as it was supposedly twice removed and added back before it was removed again. Now it has been added back as reported by Vess (@VessOnSecurity). [...] The add-on Stylish has been brought back in the Mozilla’s add-on storehouse. What users should know: This expansion was criticized some time prior as a user data collector and has been prohibited and banned a year back from Mozilla’s Add-on store. Owing to its notoriety of collecting data of users’ website visits in a way which makes it convenient to reveal users’ identity to third parties, Google and Mozilla banned it last year. It is indeed surprising as to why Mozilla decided to bring it back to its browser after it was criticized for compromising users’ identity.
  • LibreOffice 6.1: A week in stats
    On August 8, we announced LibreOffice 6.1, a new version of the suite with many great features and updates created by our worldwide community. Let’s look at some stats from the last week!
  • Graphos 0.7 released
    Graphos 0.7 has been released a couple of days ago!
  • Tesla open sources its security software, Hollywood goes open source, and more news
  • How Changa Bell is taking an ‘open source’ approach to grow the Black Male Yoga Intiative
  • As Academic Publishers Fight And Subvert Open Access, Preprints Offer An Alternative Approach For Sharing Knowledge Widely
    That's certainly true, but is easy to remedy. Academics who plan to publish a preprint could offer a copy of the paper to the group of trusted journalists under embargo -- just as they would with traditional papers. One sentence describing why it would be worth reading is all that is required by way of introduction. To the extent that the system works for today's published papers, it will also work for preprints. Some authors may publish without giving journalists time to check with other experts, but that's also true for current papers. Similarly, some journalists may hanker after full press releases that spoon-feed them the results, but if they can't be bothered working it out for themselves, or contacting the researchers and asking for an explanation, they probably wouldn't write a very good article anyway. The other concern relates to the quality of preprints. One of the key differences between a preprint and a paper published in a journal is that the latter usually goes through the process of "peer review", whereby fellow academics read and critique it. But it is widely agreed that the peer review process has serious flaws, as many have pointed out for years -- and as Sheldon himself admits. Indeed, as defenders note, preprints allow far more scrutiny to be applied than with traditional peer review, because they are open for all to read and spot mistakes. There are some new and interesting projects to formalize this kind of open review. Sheldon rightly has particular concerns about papers on public health matters, where lives might be put at risk by erroneous or misleading results. But major preprint sites like bioRxiv (for biology) and the upcoming medRxiv (for medicine and health sciences) are already trying to reduce that problem by actively screening preprints before they are posted.
  • MUMPS Masochism part I: Line and Block Scope

    It's sort of an open secret that I sometimes use ANSI M, better known as MUMPS. It was developed in the 60's, and it definitely still looks like something from the 60's. But it's 1,000 times uglier than anything from that decade. I've made plenty of people, from software testers at work to other developers on IRC, recoil in horror from showing them samples of even relatively mundane code like a simple "Hello, World!".

  • OpenSSH Username Enumeration
     

    We realized that without this patch, a remote attacker can easily test whether a certain user exists or not (username enumeration) on a target OpenSSH server

Microsoft Openwashing

  • Microsoft open sources new framework for Windows driver development [Ed: openwashing Microsoft Windows by pretending that when you write proprietary drivers for a proprietary O/S that does DRM, spies on users etc. you actually do something "open"]
  • Microsoft to Open Source Its Network Replication Software [Ed: Microsoft is openwashing some more of its entirely proprietary 'offerings', a hallmark of a company of liars. Come to us! The traps are free, the cages will be "open".]
  • GitHub goes off the Rails as Microsoft closes in [Ed: Microsoft will take GitHub off the rail like it did Skype and LinkedIn (totally lost)]
    GitHub's platform group is about 155 people at the moment and growing, said Lambert. And much of the group's focus is on breaking GitHub apart. GitHub is about a third of the way through an architectural change that began last year. The company is moving away from Ruby on Rails toward a more heterogeneous, composable infrastructure. Ruby still has a place at GitHub – Lambert referred to the company as a Ruby shop, but he said there's more Go, Java and even some Haskell being deployed for services. The goal, he explained, is to make GitHub's internal capabilities accessible to integrators and partners. "Our monolith is starting to break up and we're starting to abstract things into services," said Lambert. "The platform we've chosen to put them on is Kubernetes."

Android Leftovers

Benchmarks Of Btrfs RAID On Four Samsung 970 EVO NVMe SSDs

With the MSI MEG X399 CREATION that we received as part of the launch package for the Threadripper 2950X and Threadripper 2990WX it includes the XPANDER-AERO that provides 4-way M.2 NVMe SSD slots on a PCI Express x16 card. The XPANDER-AERO is actively cooled and could be passed off as a small form factor graphics card upon a very cursory examination. With this card I've been running tests on four Samsung 970 EVO NVMe SSDs in RAID to offer stellar Linux I/O performance. Here are some initial benchmarks using Btrfs. Read more