Attention PGP Users: New Vulnerabilities Require You To Take Action Now

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. From a report: EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages. The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific).

In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication. Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email. Further reading: People Are Freaking Out That PGP Is 'Broken' -- But You Shouldn't Be Using It Anyway (Motherboard).

Holy shit!

Isn't this supposed to be a peer reviewed protocol that was guaranteed to be secure? How long has this program existed? Holy shit.

Re:Holy shit!

[Kenja]

Isn't this supposed to be a peer reviewed...

Yes... which is how we know about the problem and can address it. Open Source isn't magic.

Re:Holy shit!

Isn't this supposed to be a peer reviewed protocol that was guaranteed to be secure? How long has this program existed? Holy shit.

The problem is in how email program plugins handle the mail after it's been decrypted, not in the underlying PGP/SMIME code.

Re:Holy shit!

[tinkerton]

Better mod this up because a lot of people will be getting this wrong.

Re:Holy shit!

[Carewolf]

Isn't this supposed to be a peer reviewed protocol that was guaranteed to be secure? How long has this program existed? Holy shit.

The problem is in how email program plugins handle the mail after it's been decrypted, not in the underlying PGP/SMIME code.

And only for HTML emails, and only in Thunderbird, Apple Mail, Postbox and Airmail. So if you are using a better email client especially a non-Mac one you are fine.

Re:Holy shit!

[OtisSnerd]

The problem is in how email program plugins handle the mail after it's been decrypted, not in the underlying PGP/SMIME code.

And only for HTML emails, and only in Thunderbird, Apple Mail, Postbox and Airmail. So if you are using a better email client especially a non-Mac one you are fine.

According to the EFF notice, it also affects Outlook with the GPG4win plugin. Outlook also has builtin S/MIME checking, and oddly, that's been throwing errors on the signed emails I'm getting from the ClamAV list this morning...

Re: Holy shit!

I blame the alarmist summary!
Fuck that guy!

Re:Holy shit!

[unrtst]

This all goes back to really stupid features being added to email. There is no good reason to load external resources into an email. Want to include an image in your email? Go for it, but include it in the email. Why the hell would an external image get automatically loaded in an email that I downloaded for offline reading?!?! If it's external, just provide a link to it. Hell, just get rid of HTML email altogether!

The CBC "gadget" vulnerability seems kinda scary (see https://efail.de/), but I'm fairly certain that a signed and encrypted message would identify these (modifying the encrypted message via CBC gadget will break the message signature). While one *can* send an encrypted message that is not signed, that's never actually done. So, if you get an encrypted message that is not signed, that set off an alarm in the email client and lock down that message (sandbox it).

This is 100% the fault of the email client implementations. FWIW, if you still use mutt or pine or alpine etc, you're safe for now. They did mention other backchannels, but didn't name any... maybe more will be disclosed on that later?

Re:Holy shit!

[martyros]

And only for HTML emails...

This could be misunderstood -- the whole point of the attack is that the attacker changes a non-HTML email into an HTML one. If your mail client doesn't support HTML (or displays the formatting but doesn't fetch anything) then you're fine.

...and only in Thunderbird, Apple Mail, Postbox and Airmail.

This isn't correct.

There are two bugs. One is a sort of braindead one which only affects a small number of clients (including Thunderbird and Apple Mail), and has nothing to do with PGP or SMIME.

The other one is more serious, and does have to do with SMIME and PGP. Basically, if an attacker has a copy of an email which is encrypted but not signed, and knows what some of the plaintext is exactly, she can splice out those bits and put in other bits. And basically all e-mails contain things like Content-type: text/plain. So, an attacker can modify that to Content-type: text/html\n\n <img src=.

Regarding this bug, the website says:

Our analysis shows that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients.

I agree that it's a bug for MUAs to automatically download external content in encrypted emails. But it's a much more understandable bug to make.

Re:Holy shit!

No, it isn't magic. Its the same junk as closed source. But you guys pretended it was magical pixie dust. "many eyes" is slowly but surely turning out to be a giant lie that us non-cheerleaders knew it was...

https://www.cvedetails.com/top...

Oh look, #1 is a closed source evil proprietary system... oh wait.. no, Its the open source darling that everybody swears is the best..

I guess its number 1 in something..

Re:Holy shit!

but I'm fairly certain that a signed and encrypted message would identify these (modifying the encrypted message via CBC gadget will break the message signature).

Oh you're FAIRLY CERTAIN. Yeah. Who are you again? Why is your opinion relavant?

https://efail.de/#will-signatu...

This is 100% the fault of the email client implementations.

No, it isn't. Its yet another open source failure. Many eyes.. haha

Re: Holy shit!

[Bradmont]

Nobody said open source is a panacea to make software secure, bit it *is* a prerequisite for a user to verify that a piece of software is secure. It's like politicians that don't reveal their tax returns: those that don't do it aren't necessarily crooked, and those that do aren't necessarily honest. But one of the criteria for being certain that they're honest is to be able to audit those returns.

Re:Holy shit!

You're asking for people to know vulnerabilities before the proof-of-concept attacks even are *invented* by security researchers. You can't do that in *any* kind of software development whatsoever.

Might as well just keep offline, because there's no 100% secure piece of software! /s

There's always a level of risk to any piece of software, from remote attackers or exploits that give an in-person attacker root privileges. We can't give up on software, all we can do is have people watching and learning, which is better than having none at all, or having security researchers going to jail for simply telling the truth about closed source software vulnerabilities.

At least researchers are not legally punished for investigating exploits in open source software, which creates incentive to actually check the software instead of naively assuming the best.

Re: Holy shit!

3 strawmen in one post? Wow we got a record boys.

Re: Holy shit!

Nothing, and I mean literally NOTHING, is guaranteed to be secure. Nice strawman. Then you reply and post 3 more strawmen.

Jesus, Mary and Joseph. Someone give this guy a cookie.

Re:Holy shit!

[Gr8Apes]

This is 100% the fault of the email client implementations.

No, it isn't. Its yet another open source failure. Many eyes.. haha

It absolutely IS the fault of email clients. PGP/GPG doesn't go out and load remote content.

Re: Holy shit!

Let's see, that makes 5 strawmen from you now. 1 in the original post, 3 in your first reply, and now another one in this reply. Smh.

Re:Holy shit!

[Gr8Apes]

Apple Mail is fine, and I'm sure others are too, if you turn off "Load remote content". I did that a while ago because it's one of the ways FB and Google both track you.

Re:Holy shit!

[gweihir]

Nothing is "guaranteed to be secure". Incidentally, it is not PGP or GnuPG that is at fault here. It is fundamentally broken and insecure HTML and MIME parsing in the email software affected. PGP/GnuPG is perfectly fine.

Re:Holy shit!

[gweihir]

This is 100% the fault of the email client implementations. FWIW, if you still use mutt or pine or alpine etc, you're safe for now.

Oh, yes. Mutt user here (at least for encrypted email), because I have never trusted these messed up insecure jokes that pass for email software these days. Automatically loading stuff from external places in this way is an instant security fail. Nobody with a clue is surprised this can be exploited.

Re:Holy shit!

[gweihir]

PGP/GnuPG also does no MIME parsing, which must be broken as well to allow the attack. This is 100% incompetent implementation of email software by people that are clueless about security.

I also have to say I find all the alarmists here a disgrace. Clueless, arrogant and panicky, a very bad combination.

Re:Holy shit!

Exactly the kind of reaction the researchers were hoping for so as to get their 24 hours of fame.

In the end the problem isn't broken PGP or S/MIME at all, but stupid implementation of Mail User Agents and their poor handling of MIME multipart messages. i.e.: they can start a HTML img tag in a subpart before an encrypted subpart, finish it in a following subpart and be able to exfiltrate the encrypted subpart (now decrypted) via HTTP requests.

Re:Holy shit!

[Carewolf]

Apple Mail is fine, and I'm sure others are too, if you turn off "Load remote content". I did that a while ago because it's one of the ways FB and Google both track you.

True, but it really should be default off, and be warned against turning on.

Re: Holy shit!

[Narcocide]

Why does this post make me sure you're the one who wrote it?

Re:Holy shit!

[Darinbob]

A lot of security flaws arise from someone wanting to improve the "user experience". We've known almost forever that convenience the enemy of security.

Re:Holy shit!

[Srin+Tuar]

> The problem is in how email program plugins handle the mail after it's been decrypted, not in the underlying PGP/SMIME code.

Apparently thats wrong; it seems that core vulnerabilities lie inside the use of the gpg and smime protocol implementations themselves.

In particular, the lack of a valid message digest, and the default behavior of returning decryption results (or even attempting decryption) when the digest is invalid is the core problem.

If tampered encrypted payloads are detected, *decryption must not be attempted*

It seems over gnupg is vulnerable to this attack.

Re:Holy shit!

[Srin+Tuar]

> is not PGP or GnuPG that is at fault here

They are at fault for violating the "enc then mac" principle.

They should not return decrypted content of tampered messages, and if they didnt the gadget weakness would not exist.

This is absolutely a crypto issue in addition to an email client issue.

Re:Holy shit!

if you still use mutt or pine or alpine etc, you're safe for now.

PINE? What about elm? You know, that thing that PINE is not ...

Re:Holy shit!

Isn't this supposed to be a peer reviewed protocol that was guaranteed to be secure? How long has this program existed? Holy shit.

well.. as far as I know... all encryption have allegedly been rendered useless by NSA long ago... so it is no surprise that PGP has flaws... NSA may allegedly have put them there long ago and some of them are just now being found?

Re: Holy shit!

False. Open source guarantees nothing. How do you verify the code you're running matches the source code?

Intel's errata are longer than a Tolstoy novel. How do you know the hardware is doing what you told it to, and not more than that?

As a practical matter, very few people are qualified to audit source code, and 99.999% of FSF lamers and fanbois can't write code, much less read it.

Re:Holy shit!

[unrtst]

(Sorry... I know you were probably just riffing on the recursive acronym)
AFAIK, Elm doesn't support S/MIME nor GPG/PGP (though you can pipe stuff out to gpg to view the plain text, obviously). I'm not even sure Elm is Y2K compliant (according to http://www.instinct.org/elm/, "Update 06th Jan 2000: elm 2.4 is not Y2K compliant."). There are other, and more modern, terminal based email clients that may be worth mentioning. And there are older mail clients that also don't support S/MIME ("mail" from mailutils).

Re:Holy shit!

[Gr8Apes]

I agree, it would be better. But imagine the tsunami of customer support calls when people complain they can't see their FB notification emails.

Re:Holy shit!

[gweihir]

Read the description of the problem again.

Re: Holy shit!

[Bradmont]

You clearly didn't even read my comment, so I won't bother crafting a response either.

Weird Advice

[Carcass666]

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

In other news, lock picks can be used to open up your model of door lock. We advise you to remove all door locks from your door until a lock pick proof lock can be engineered and installed.

Re:Weird Advice

[Kiliani]

The key word was *automatically* – although it is not always clear in the press what you are supposed to do. So confusion will abound. No surprise there.

In the end, you can still use PGP, but you have to do more work to be safe. I think, if you understand how to use PGP to begin with, you can probably help yourself for now. If not, well ....

In your terms: keep your locks. But disable the remote locking feature (take the battery out) and don't use your app to lock your house - use your good old key you stored away in a box a long time ago. Yes, you will have to do actual work. And yes, someone can still break in - probably through the window. Or by kicking in the door ...

Re:Weird Advice

[nine-times]

I think that if you read between the lines, the problem isn't that PGP can be broken. The problem is that there's a vulnerability in the PGP code such that a specially-crafted payload can exploit it and compromise your system... somehow.

That's why they're specifically warning not to automatically open PGP-encrypted messages. It implies that someone might send a malicious PGP message that could cause damage, so you should be careful about which messages you decrypt until this is fixed.

Re:Weird Advice

Can't have locks that make it more difficult for Gogle to get in to ogle.

Re:Weird Advice

The last I checked lockpicks don't automatically open locks and I think that's exactly what this is describing.

Re:Weird Advice

[Carewolf]

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

In other news, lock picks can be used to open up your model of door lock. We advise you to remove all door locks from your door until a lock pick proof lock can be engineered and installed.

Yeah, I can't help but think however said that had an agenda. It does appear Thunderbird is fully compromised, while most other email clients including outlook are only compromised for S/MIME, and even for that it is for Outlook only 2007 and earlier.

Re: Weird Advice

[athmanb]

Encryption bugs are rarely in the "math" part of code, and more often in the surrounding stuff that handles content.

I'n guessing there is some sort of issue here where a cracker can expose data by sending a malformed email. So it's more like disabling a door lock that somebody could use to give you an electric shock...

Re:Weird Advice

[SigmundFloyd]

The key word was *automatically*

And that key word makes me think that this might have something to do with passphrase caching.

Re: Weird Advice

They exist. They are gun shaped.
You just put it in and pull the trigger a few times and it's open.

Re:Weird Advice

[cryptizard]

Nope, the problem is that an adversary can send you a carefully crafted email, which inside of it has an old encrypted email that they want to break into, and due to automatic decryption and rendering of HTML elements the plaintext of that encrypted email gets exfiltrated to a target server. The core issue is actually in the way MIME works with multi-part emails where you are allowed to have some unencrypted HTML and some encrypted segments together in the same email.

Re:Weird Advice

[cryptizard]

No, it is a problem with mixed-messages which can have unencrypted HTML next to encrypted text. You can trick the client into decrypting a message you send to them and giving it back to you.

Re:Weird Advice

[nine-times]

Ok, so I'm not 100% right but not 100% wrong. It's not that they can compromise your system, but they can compromise your other encrypted messages.

To reframe the metaphor, it's not "We've discovered that locks can be picked, so remove locks from all of your doors." It's more like, "We've discovered that there's a way that sticking your key into a malicious lock might allow them to scan your key and unlock your doors. Don't go sticking your key into unknown locks." Or something.

Re:Weird Advice

Penis juice! I am fapping to the sounds of gerbils farting. That is all.

Re:Weird Advice

[gweihir]

This should come as no surprise at all. Automatic decryption of emails is insecure, pretty much by definition. Anybody using that does not have security as it takes one tiny flaw somewhere else to exploit that. Also, automatically loading external stuff in an email reader is pretty much insane.

Re:Weird Advice

Did you not bother watching the video?

it's email clients badly handling image tags, letting you put mime parts *into* a HTML img tag, and then you're oh-so-helpful email client passing the decrypted text to an external image "resource".

So if Fred sends an email to Bob (who can decrypt it), and Joe gets ahold of the encrypted email, then Joe can send (in theory) Bob or Fred a harmless looking email which will attempt to load an image from Tom's (or Joe's) web server, which will show the decrypted message in the access log.

The example, however, took place entirely within Fred's sphere of control, so it's a bit iffy.

The fact that email clients bend over backwards to process really bad HTML, and break all kinds of rules in the process, is not news.

Re:Weird Advice

You're an idiot. You shouldn't be allowed to own a computer, let alone post on the internet.

Dear effin' god, the exploit was demonstrated in such a way that my grandmother could follow it, and you're making (bad) guesses?!?! Don't try to be clever, you're obviously not qualified.

It's not a PGP flaw. It's an email client flaw. It's an HTML parsing failure.

What the hell is wrong with people?!?

Don't guess. Don't assume. Learn. THEN speak.

Re:Weird Advice

[swillden]

"Don't go sticking your key into unknown locks."

More like "Stop using the automatic door unlocking tool". The analogy really doesn't work, but the point is that if you continue automatically decrypting emails with a buggy mail client, an attacker can arrange to be able to read emails encrypted to you.

Re:Weird Advice

[nine-times]

More like "Stop using the automatic door unlocking tool".

Yeah, but it's more like, "Don't have your automatic door unlocking tool automatically unlock any door that any random stranger might send to you."

Like you said, the analogy doesn't work.

Re: Weird Advice

[Brockmire]

Put the gun in the keyhole? That's not going to fit unless the gun is the size of your dick?

Re:Weird Advice

The problem is that the Grubbermint cannot break PGP. So they want you to stop using it because some fucking moron designed an e-mail client with HTML and Javascript support.

Re:Weird Advice

[Darinbob]

Yes, but some hipster is going to complain that having to be asked to decrypt every message is cumbersome and not as cool.

Re:Weird Advice

[swillden]

More like "Stop using the automatic door unlocking tool".

Yeah, but it's more like, "Don't have your automatic door unlocking tool automatically unlock any door that any random stranger might send to you."

Like you said, the analogy doesn't work.

Right, but most email clients with S/MIME or PGP support do automatically decrypt and display any email. You have to click on it first, but why wouldn't you? Obviously the attacker would make sure the From and Subject fields contain values you'd expect to see... probably just use the ones from the email they intercepted and modified.

Re:Weird Advice

[swillden]

Yes, but some hipster is going to complain that having to be asked to decrypt every message is cumbersome and not as cool.

And that still wouldn't help. Because how would anyone (hipster or not) decide whether to decrypt the message? The only information you have before the message is decrypted and displayed is the subject and sender, and the attacker will arrange for both of those to be things you'd expect to be legitimate. The attacker is someone who can intercept and modify your legitimate email, remember.

Or any other encryption

[jbmartin6]

The problem is the clients decrypt, then process any external requests for content. So if you can re-send an encrypted email with an external content request added to it, the client will happily decrypt then send the content request with your precious decrypted content. If you globally disable fetching any external content you don't have to worry. The encryption protocols all work fine, it is the behavior of the clients after the decryption that is the problem. So S/MIME would be affected too, or potentially any other encryption tool. Refusing to load any external content under any circumstances is good advice anyway.

Re:Or any other encryption

[xxxJonBoyxxx]

^^^ THIS ^^^ - PGP and SMIME are still fine. It's that dumb-ass software put secure (decrypted) and non-secure content into the same pot, and let the non-secure content broadcast the secure content out.

This site has the actual details (and paper): https://efail.de/

"EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago. The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker."

Re:Or any other encryption

[jbmartin6]

The kicker is, you can't control what your correspondent does with his email client, so any encrypted messages you have sent could be compromised in this way. But that was always the case since you would rely on the recipient to safeguard the keys anyway.

Re:Or any other encryption

[Mryll]

Ultimately you need to depend on them to safeguard the decrypted plaintext as well from any threat in the context

Re:Or any other encryption

[gweihir]

On a related note, this is _email_! Automatically loading anything externally is just as insane as automatically opening attachments. Have the people writing this broken email software learned absolutely nothing from the past?

Re:Or any other encryption

[gweihir]

Indeed. The recipient can just publish the email or send it to a 3rd party. You need to be able to trust people you send secrets to.

Final straw. Computers are NOT secure. I'm done.

[Seven+Spirals]

PGP is broken now? It's only had fairly infrequent and minor issues over time. If this is broken now, then it's the final sign that anyone who thinks computers can be secured is wrong. If you want something secure, write it down in a notebook. It'll be about 100x more secure than putting it on a computer simply by not being networked. Even if someone steals and reads your notebook it's better than someone having it on their phone (or PGP, now I guess) for the ENTIRE WORLD to come along and steal. Computers are great for games, everything else is debatable.

If you have nothing to hide

then why are you using PGP? It is only used by criminals and the like.

Re:If you have nothing to hide

[PPH]

So, this isn't about my wearing pants?

Some advice is worth what you paid for it

[ugen]

Yes, indeed, some advice there. Because there is some potential for bad actors to possibly decrypt some of the PGP encrypted messages, if said messages include HTML with links to 3rd party sites (which your email client must display automatically), you need to **completely disable** email encryption. Then all of your email becomes clear text and, fully readable by anyone without effort, and thus you are completely safe from that vulnerability. SMH.

That wonderful advice is brought to you by researchers in no way sponsored by NSA or any other 3 letter agency.

For those worried - make sure your email client does not automatically display any embedded HTML links (or, better yet, just turn off HTML formatted email). I believe this is the default for Enigmail encrypted email anyway. Use plaintext, and you are as safe as cryptography allows. (I believe Enigmail authors posted a message to that effect).

Re:Some advice is worth what you paid for it

[PPH]

which your email client must display automatically

Must? I guess I'm in real trouble. Because I read my e-mail with elm. The standards police will be kicking in my door any minute now.

Re:Some advice is worth what you paid for it

[jeff4747]

you need to **completely disable** email encryption

And there's where your reading comprehension failed.

The recommendation is to disable automatic email decryption. Because a lot of email clients will automatically decrypt the email and then happily run the "active content" in that email (aka hit an external server to download images or other HTML-email-fun).

So go ahead an send emails encrypted. And go ahead and decrypt your emails...manually so that you're doing it in a place that will not automatically run the HTML.

Re:Some advice is worth what you paid for it

OK, but

Note that there are other possible backchannels in email clients which are not related to HTML but these are more difficult to exploit. --

The "CBC/CFB gadget" attack is an actual vulnerability of the S/MIME and PGP standards. HTML or not, it should never be possible to append text to encrypted content without decoding it.
Also, it's not just your own client. Obviously this affects the email clients of anybody you send encrypted email to, and you have no way of knowing if they are able or care enough to secure their clients.

Re:Some advice is worth what you paid for it

[ugen]

To quote myself: "there is some potential for bad actors to possibly decrypt some of the PGP encrypted messages, if said messages include HTML with links to 3rd party sites (which your email client must display automatically)".

Explanation: For bad actors to decrypt PGP encrypted messages, these messages must include HTML with links to 3rd party sites and your email client must display such links automatically.

Re:Some advice is worth what you paid for it

[ugen]

This is not what I see when I read articles on the topic. For example: https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

They suggest completely disabling or *uninstalling* tools that automatically decrypt PGP messages. There are multiple guides following this advisory that explain how to completely uninstall or disable Enigmail in email client (Thunerbird etc).

Re:Some advice is worth what you paid for it

[jeff4747]

They suggest completely disabling or *uninstalling* tools that automatically decrypt PGP messages

Hey look! It's exactly what I said.

Once again, the advice is not to stop using PGP or S/MIME. It's to not automatically decrypt messages because of HTML email.

Re:Some advice is worth what you paid for it

By uninstalling the tool that encrypts them.
So how do you think people will continue to encrypt their mails after they have uninstalled the tool doing so?
Encrypt it with pen and paper?

Re:Some advice is worth what you paid for it

Oh wonder oh wonder, that is why OpenPGP ALREADY prevents these!
The issue there was just that for backwards compatibility it still allowed decryption but showed a big fat warning if the authentication was missing. And some encryption plugins ignored the warning.
Yes, it's a crappy API, and they are considering to just break with compatibility to prevent this at the GPG level.

Re:Some advice is worth what you paid for it

[gweihir]

Indeed. This whole problem comes from crappy clueless implementations and crappy clueless defaults. Turning off PGP completely is entirely the wrong reaction.

Re:Some advice is worth what you paid for it

Because some complete assholes are utter total and complete assholes. They do not "sign" their messages before "encrypting".

"Encryption" == Confidentiality
"Signing" == Integrity

So if you want Integrity (ie, know the message recieved is what was sent) you need to SIGN it.
If you want that message (which now has Integrity) to enjoy Confidentiality, no need to ENCRYPT it.

You can have Integrity, confidentiality, or both. But you have to decide.

Bad HTML Mail Clients

[Xoc-S]

I'm no security expert, but allowing HTML mail to arbitrarily download embedded graphics in a mail client is just dumb. From my reading of the articles, doing that doesn't disable the problem, but keeps the information from escaping back to the malicious parties. This is a mail client problem triggering PGP to decrypt, then allowing the information to escape through embedded graphics, not a fundamental problem in PGP itself. Turning off HTML mail support at the client and just taking the text representation of the message looks like it completely defeats the hack. Tell me if I'm wrong.

Re:Bad HTML Mail Clients

[Carewolf]

I'm no security expert, but allowing HTML mail to arbitrarily download embedded graphics in a mail client is just dumb. From my reading of the articles, doing that doesn't disable the problem, but keeps the information from escaping back to the malicious parties. This is a mail client problem triggering PGP to decrypt, then allowing the information to escape through embedded graphics, not a fundamental problem in PGP itself. Turning off HTML mail support at the client and just taking the text representation of the message looks like it completely defeats the hack. Tell me if I'm wrong.

As a KMail user I have the default to never download HTML content. You would be surprised how many emails rely on it, though mostly newsletter that can usually be ignored, but sometimes website-integration messages are equally crappy. In Kmail it fortunately an option to override the external content for a single email at a time, so this bug would only affect you if you did a warned against security override on an encrypted email, in which case you are asking for it, and you can't really leak more than what the original idiot send as partially encrypted content.

Re:Bad HTML Mail Clients

efail.de tells you that you're wrong. I'm not going to fulltext quote it here.

Re:Bad HTML Mail Clients

[gweihir]

I am a security expert and I would upgrade that to "extremely dumb" as in "completely clueless about security". And no, you are not wrong. Also, having a correct MIME parser or taking the warning about missing integrity protection seriously also works to solve this. This is a problem on the side of the mail software affected.

Caveat: I have not looked at the finer details. I use mutt as mailer for anything encrypted with lynx as html-to-text filter and are decidedly not affected by any of this.

Re:Bad HTML Mail Clients

[gweihir]

And _that_ is a sane default. Do insecure things, be insecure. There is not even a story here except that apparently many makers of email software are really clueless about security.

No intersecting code

PGP and S/MIME. (!?) Thunderbird and Apple Mail and Outlook. Weirdly, they don't mention GnuPG by name but it is strongly implied ("tools that automatically decrypt PGP-encrypted email").

It looks like a bunch of things that seemingly share no code, unless it's some fundamental library or something that got copied a lot. Maybe a buffer overflow in some shared RSA or DH decryption library?

Problem is in the MUAs, not really in OpenPGP

[freax]

From https://lists.gnupg.org/piperm... :

> 1. This paper is misnamed.
Indeed
> 2. This attack targets buggy email clients.
Exactly
> 3. The authors made a list of buggy email clients.
Well said.

The MUA should not allow *any* utilization of HTTP when rendering a HTML E-mail. Any form of doing that is a serious mistake. Not only because of what is reported here, but also because that way *that* use of HTTP will allow spammers to identify when you open the E-mail. They use that to know if your E-mail adress is still alive.

Serious MUAs don't do this without user consent. Most HTML components even have a explicit offline mode exactly for that reason. Meaning that they won't automatically go online and fetch things like the src url of an IMG.

Any MUA that does this without user consent is completely and utterly wrong. Especially in a security sensitive context. This is something most MUA developers know about and if not, should know.

Common sense for slashdotters is new for newbies

[nimbius]

What might be common sense for us is certainly not for newcomers to PGP or those being made to use PGP in a corporate environment as part of a 'best practice'

when you're sending a PGP message, it needs to be plaintext. HTML is simply too dangerous to be disarmed in every conceivable application. This means your email messages should be read in plaintext for PGP.

I also think the EFF is a bit paranoid in issuing a 'full stop' to using PGP until this is fixed. At worst, you should send a link to the PGP document you'd like the user to read (in plaintext of course.)

What spooks would like you to do...

[mi]

temporarily stop sending and especially reading PGP-encrypted email

Sounds like just what the spies would like you to do to gain temporary access to most communications that used to be encrypted, while disabling some of them...

Plaintext email FTW!

[93+Escort+Wagon]

Seriously - there’s no good reason for an email which is important enough to encrypt to include html or other “rich formatting” anyway. Just turn it all off.

Re:Plaintext email FTW!

email which is important enough to encrypt

That would be all email. Your local burglar doesn't need to know that you just told your wife you'll be home late. Your insurance company doesn't need to know you want your wife to pick up some beer on the way home. Your ad company doesn't need to know that you think Disaster Area is the hoopiest band ever, or that you just wished your father's brother's nephew's cousin's former roommate a happy birthday. Etc. There aren't any emails that don't need encryption.

Except spam. Those are the only emails that don't need to be encrypted.

Re:Plaintext email FTW!

Except spam. Those are the only emails that don't need to be encrypted.

Except when they include 'harvested'/'stolen' data to 'improve' results...

Re:Plaintext email FTW!

[Kjella]

Seriously - thereâ(TM)s no good reason for an email which is important enough to encrypt to include html or other âoerich formattingâ anyway. Just turn it all off.

While that's true it's been a long time since I saw an exploit in actual HTML rendering code that didn't involve Javascript or some other active component. The problem is that email inherited the browser's "let's go out and gather all the bits and pieces" logic instead of being inline only, like if you could send text/html, text/css, image/jpeg as a MIME message and it'd render that HTML code styled using that CSS displaying that image in an <img> tag that would be fine for all but the most paranoid applications and you should always have a text/plain version for those. It's that it's not really a nicely formatted letter, it's just references to web bugs and various other crap somewhere else which kinda defeats the purpose of being mail-like. Then it's just a browser in drag.

Re:Plaintext email FTW!

Your local burglar doesn't need to know that you just told your wife you'll be home late. Your insurance company doesn't need to know you want your wife to pick up some beer on the way home.

Anymore those things are done via Whatsapp or another messenger, not email! Probably not one person in a thousand uses email for that, these days.

Very Cryptic warning

I only wish I were using PGP. I can't get others to take encryption seriously enough to deal with the hassle of using it.

Here's to the day it is baked into mail programs in such a way that my program will send a query to public registry or their program and gets their public key just by checking a box before sending an email (or make it the default). But most importantly, mine and their keys were generated whether or not we ever use them. Yeah, there's still man in the middle weaknesses. But it's better than nothing. You'd be able to send Grandma an encrypted email (and maybe visa versa) without her even knowing diddly about encryption.

Re:Very Cryptic warning

Leave it. Seriously, using encryption in this day and age means just painting a large target on yourself. You're not one in many, but one in a few. They'll find you, and then you'll be singled out for special attention. Then your life starts to change for the worse, a little at a time. One day you wonder what has gone wrong. The answer is simple: you became Stranger Danger. Do not become Stranger Danger. Conform. It's easy. You have nothing to lose except delusions of self-importance.

Re:Final straw. Computers are NOT secure. I'm done

[Carewolf]

PGP is broken now? It's only had fairly infrequent and minor issues over time. If this is broken now, then it's the final sign that anyone who thinks computers can be secured is wrong. If you want something secure, write it down in a notebook. It'll be about 100x more secure than putting it on a computer simply by not being networked. Even if someone steals and reads your notebook it's better than someone having it on their phone (or PGP, now I guess) for the ENTIRE WORLD to come along and steal. Computers are great for games, everything else is debatable.

PGP is not broken. The way a few bad email clients are using it is broken. If you are not using Thunderbird you are safe with PGP. While S/MIME is comprised in every email client except modern Outlook, KMail, and mutt.

We fear ...

We fear that the PGP software stores hiddenly the password of the user in the PGP-encrypted message.

It does not appear only in PGP, it includes too SSL, TLS, etc.

By example, if the pure encrypted message occupies 10000 bytes then it will include 200 bytes somewhere hidden for the resulting 10200 bytes of the final encrypted message.

I request a new investigation to this fear.

Re:We fear ...

[thestuckmud]

We fear that the PGP software stores hiddenly the password of the user in the PGP-encrypted message.

I know it is hard to trust anything in a software ecosystem where the likes of RSA Security has been implicated in a security weakening scandal, and one could almost certainly hide data within an Open-PGP message (e.g. adding a private/experimental packet), but I also know that software I use does not do this. I say this because I have done the exercise of analyzing and decrypting Open-PGP messages produced by GnuPG, and I can account for every byte of each packet with the encrypted massages I have analyzed.

But don't trust me: Look up the RFC 4880 and check for yourself. You'll need to do some work because the protocol is klunky, but it is worth doing if you are seriously concerned.

Re:We fear ...

Signed hashes and encrypted symmetric key, plus some other datastructure overhead.

Re:Final straw. Computers are NOT secure. I'm done

No. PGP is probably fine. It's that some email clients with HTML email enabled and automatic decrypt enabled open an attack vector for some reasons. The EFF promises the details will be coming soon.

Re:Common sense for slashdotters is new for newbie

[Mordaximus]

I also think the EFF is a bit paranoid in issuing a 'full stop' to using PGP until this is fixed. At worst, you should send a link to the PGP document you'd like the user to read (in plaintext of course.)

The EFF said no such thing; they recommended uninstalling or disabling widgets that *automatically* decrypt in the MUA.

Are EFF creating panic? PGP is not broken.

[tomatocat]

>Immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email!

Re:Are EFF creating panic? PGP is not broken.

That's a valid short-term answer to the problem. Decrypt using external tools manually, or turn off HTML rendering.

so just...

So to fix this, just disable HTML mail and use plain test email. Right?

TURN OFF HTML MAIL !

PGP is not broken as crypto.

Either stop PGP from automatically decrypting, and transfer the encrypted text to PGP for decrypt outside the mail client.

OR, disable html in the mail client, use plain text mail (as I think Snowden recommended years ago).

Re:Final straw. Computers are NOT secure. I'm done

PGP is broken now?

No. You should read the first link.

This is all situations where the simply act of reading an email causes the mailreader to send a request for an external resource, i.e. html emails. Everyone who cares about security already told their mailreaders to stop doing shit like that back in the 1990s. We're talking about a situation where people already have a problem even if they're not using PGP.

My understanding is this applies to HTML email

[MAXOMENOS]

My understanding of this is that it applies only to HTML email - if you are using S/MIME and PGP/GnuPG with text-only emails, you should be fine. So why are EFF calling for disabling all PGP and GnuPG?

Re:My understanding is this applies to HTML email

The problem comes if you're using a client that can render HTML emails. The emails you've sent in the past might be plaintext, and you might just receive plaintext emails, but if HTML rendering is turned on, you could end up rendering an email an attacker sends you. So, if you just receive plaintext emails, just disable html rendering and you're fine.

Re:My understanding is this applies to HTML email

Not quite correct for S/MIME. Many S/MIME implementations do some incredibly idiotic things, like following links to intermediate certificates to fetch that can be used to extract this kind of information even if HTML rendering is disabled.
And of course what others have said: It's mostly irrelevant what format your own encrypted mails are in. The issue is with having a HTML renderer in your client AT ALL (though primarily with having a badly implemented one that also happily will tell scammers, spammers and address resellers if your email address is active).

Re:My understanding is this applies to HTML email

[gweihir]

The thing is that apparently most email software these days is badly broken and will not only gladly load external includes in HTML email, but also mess up the MIME parsing and ignore warnings about missing integrity protection. I feel pretty smug now that I am on mutt (and will remain on it as primary MUA), even though I had to add lynx as an HTML-to-text filter because some people feel it is acceptable to send HTML-only email. If this were just private email, I would have happily ignored these, but unfortunately it is business.

Open Sores to the rescue

Not..

in other words:

This vulnerability affects those who have no idea how to use encrypted emails. HTML is not to be used in encrypted emails, neither is external references. In fact anyone who is versed in the secure use of email has any and all external references disabled. I do not care for your fancy font or for the background wall paper, If you refuse to attach any pertinent images directly to the email then they are not worth my time. Email is meant to be used as a direct method of communication, only the relevant portions need to be included and font and color are not relevant.

Personally i blame Microsoft for trying to get the masses to adopt email, if they had just left well enough alone then we wouldn't have half of the problems we do today.

Action required: Disable HTML

In other words, disable HTML rendering in your email client, and check for other external referencing stupidity it might have. All of which shouldn't be in your client in the first place. So get a better client.

Which again means that the problem isn't in PGP/GPG, and the "security" "researchers" are much busier drumming up hype than they're doing useful work. Which is par for the course in s'kiddie-land. But we already knew that too, of course.

Re:Action required: Disable HTML

[gweihir]

I agree, the behavior of these security "researchers" is really unethical and unacceptable. My initial reaction was that with an announcement this bombastic, it will likely turn out to not be an elephant but a mouse. And look, it is. And people with a secure set-up are not even affected, only people that use fundamentally insecure software in the first place.

Ha ha but seriouisly.

[Ungrounded+Lightning]

If you have nothing to hide... then why are you using PGP? It is only used by criminals and the like.

Ha, ha.

But seriously. If you have nothing to hide, do all your communication with your bank, mortgage holder, broker, 401(k) administrator, and doctor solely by postcard. And take the shades off your windows.

Law-abiding people have PLENTY to hide. And they have a RIGHT to hide it. The Fourth Amendment, among other parts of the constitution, explicitly recognizes this, and the Supreme Court has issued a ruling making explicit and binding an easy-to-understand "Right to Privacy" interpretation of a combination of several pieces of the Constitution.

Draft eFail Paper Link Here

Draft of the paper to be released tomorrow here: https://efail.de/efail-attack-paper.pdf

This is HUGE!

It's going to impact all 15 people in the world using PGPed email!

EFF is correct about OpenPGP.

Either some didn't read the entire article or don't understand the need for authenticated encryption.

The issue the EFF is concerned about is that the OpenPGP spec doesn't mandate authenticated encryption and doesn't specify what to do if authentication fails.

The authentication tag could be as simple as the HMAC of the encrypted message using the symmetric key as the HMAC "secret". Attackers can't create provide a modified message that could be authenticated without knowing the shared key.

Have the minimum AES mode be GCM or other AEAD encryption modes such as ChaCha20-Poly1305.

The standard needs at least two new SHALLs 1) All encryption modes shall be AEAD. 2) Decryption process shall immediately stop if authentication fails and no part of the message is presented to the user.

Re:Common sense for slashdotters is new for newbie

The EFF is looking to advise dummies (ie. average Joe/Jill/Zilla who doesn't know anything about what they're doing on a computer on average). They want to spread info that will work in securing things without it being too hard for people to actually do.

The more in-depth reasoning and actions will always be sought out by anyone who *isn't* that kind of user.

Werner Koch's Response

[Grady+Martin]

https://lists.gnupg.org/piperm...

Re:Werner Koch's Response

[gweihir]

And that is just it. This thing is way blown out of proportion and it is attributing blame to the wrong tool (and people).

Re:Final straw. Computers are NOT secure. I'm done

[Jahta]

PGP is broken now? It's only had fairly infrequent and minor issues over time. If this is broken now, then it's the final sign that anyone who thinks computers can be secured is wrong. If you want something secure, write it down in a notebook. It'll be about 100x more secure than putting it on a computer simply by not being networked. Even if someone steals and reads your notebook it's better than someone having it on their phone (or PGP, now I guess) for the ENTIRE WORLD to come along and steal. Computers are great for games, everything else is debatable.

PGP is not broken. The way a few bad email clients are using it is broken. If you are not using Thunderbird you are safe with PGP. While S/MIME is comprised in every email client except modern Outlook, KMail, and mutt.

If you are using Thunderbird and you have disabled loading remote content in messages (which you should be doing anyway) then this issue (which relies on automatic execution of embedded remote URLs) won't affect you. HTML emails are the real problem here.

Clickbait. Does not affect sane mailers...

[gweihir]

And really has not much to do with PGP/GnuPG either, it is about the insane HTML integration in email software that can leak data if external resources are loaded automatically and, apparently, your email is decrypted automatically. If you have either of these, your security has gone out of the window long before the present issue was discovered. Also seems to require a broken MIME parser. Hence this is an issue with mailers, not with PGP/GnuPG (or rather the OpenPGP format). Pretty much the same screw-up by email software makers also affects S/MIME, only it suffers from missing authenticated encryption in addition.

Bottom line, a sane set-up that only renders HTML (or refuses it completely like I used to, these days I convert it to text with lynx), but does not fetch/execute anything should be safe from this. And yes, you should definitely use PGP/GnuPG, despite what some people say.

The other bottom line is that many people making email software have really, really screwed up here. The makers of PGP/GnuPG have not.

Re:Final straw. Computers are NOT secure. I'm done

[gweihir]

PGP is very much _not_ broken. Some wannabee mail software is badly broken in how it handles HTML, MIME and PGP integration. This is also not a surprise at all. There is a reason many of us still use mutt or elm or the like at least for encrypted email.

Convenience vs. Security

uninstall tools that automatically decrypt PGP-encrypted email.

Auto decryption is convenient but makes the system weaker.

Re:Final straw. Computers are NOT secure. I'm done

I do this and I don't even use PGP. It's like a built in no-script feature as far as I'm concerned. Only loads local stuff and then I just go to whatever website the email is about. Don't need to click links in emails.

FUD .. again from the EFF Why?

PGP is not broken. Look it's really simple kids, stop using software that does stupid things like automatically opening attachments. You've been warned for literally decades.

Any sane IT department should be disabling at the very least, js in emails. Preferably BAN HTML period though I s'pose "basic" HTML is a middle ground.

The headline should be "outlook users still click on emails".

The more fucked up thing about this is with S/MIME and CA certs that are trusted to execute CODE. It's not an attack surface limited to PGP though.

Incredible yellow journalism

I am surprised the EFF would participate in this circle jerk. This has nothing to do with encryption. This is one of the great pieces of yellow journalism of our time, and I'm amazed Slashdot would perpetuate it. Shame on you...

Securing email?

I have always disabled html in my email program.

I use Thunderbird, html is disabled, remote content is disabled, I have thoroughly gone through it's about:config, I only connect to my ISP with port 995 and 465, and I run Thunderbird in a firejail. I have also deleted many of it's trusted certificate providers.

I use the Enigmail plugin and do not automatically decrypt.

Is there anything else to be done to secure this?

"he" is the gender neutral term.

The word "he" is gender neutral.

The word "she" is feminine.

Also, we all know the hacker ain't a woman.

if your mailclient doesn't behave

just convince it....

sudo groupadd mailonly
sudo usermod -a -G mailonly `whoami`

sudo ipset create allowed-mailclntdst6 hash:ip family inet6 timeout 0
sudo ipset create allowed-mailclntdst hash:ip family inet timeout 0
sudo ipset add allowed-mailclntdst6 [imap.provider.tld]
sudo ipset add allowed-mailclntdst6 [smtp.provider.tld]
sudo ipset add allowed-mailclntdst [imap.provider.tld]
sudo ipset add allowed-mailclntdst [smtp.provider.tld]

sudo ip6tables -I OUTPUT -m owner --gid-owner mailonly -j REJECT
sudo iptables -I OUTPUT -m owner --gid-owner mailonly -j REJECT --reject-with icmp-port-unreachable
sudo ip6tables -I OUTPUT -p tcp -m multiport --dports 143,465,587,993 -m owner --gid-owner mailonly -m set --match-set allowed-mailclntdst6 dst -j ACCEPT
sudo iptables -I OUTPUT -p tcp -m multiport --dports 143,465,587,993 -m owner --gid-owner mailonly -m set --match-set allowed-mailclntdst dst -j ACCEPT

sg mailonly thunderbird