Attention PGP Users: New Vulnerabilities Require You To Take Action Now

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. From a report: EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages. The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific).

In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication. Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email. Further reading: People Are Freaking Out That PGP Is 'Broken' -- But You Shouldn't Be Using It Anyway (Motherboard).

Re:Holy shit!

[Kenja]

Isn't this supposed to be a peer reviewed...

Yes... which is how we know about the problem and can address it. Open Source isn't magic.

Weird Advice

[Carcass666]

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

In other news, lock picks can be used to open up your model of door lock. We advise you to remove all door locks from your door until a lock pick proof lock can be engineered and installed.

Re:Weird Advice

[Kiliani]

The key word was *automatically* – although it is not always clear in the press what you are supposed to do. So confusion will abound. No surprise there.

In the end, you can still use PGP, but you have to do more work to be safe. I think, if you understand how to use PGP to begin with, you can probably help yourself for now. If not, well ....

In your terms: keep your locks. But disable the remote locking feature (take the battery out) and don't use your app to lock your house - use your good old key you stored away in a box a long time ago. Yes, you will have to do actual work. And yes, someone can still break in - probably through the window. Or by kicking in the door ...

Re:Weird Advice

[nine-times]

I think that if you read between the lines, the problem isn't that PGP can be broken. The problem is that there's a vulnerability in the PGP code such that a specially-crafted payload can exploit it and compromise your system... somehow.

That's why they're specifically warning not to automatically open PGP-encrypted messages. It implies that someone might send a malicious PGP message that could cause damage, so you should be careful about which messages you decrypt until this is fixed.

Re:Weird Advice

[Carewolf]

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

In other news, lock picks can be used to open up your model of door lock. We advise you to remove all door locks from your door until a lock pick proof lock can be engineered and installed.

Yeah, I can't help but think however said that had an agenda. It does appear Thunderbird is fully compromised, while most other email clients including outlook are only compromised for S/MIME, and even for that it is for Outlook only 2007 and earlier.

Re: Weird Advice

[athmanb]

Encryption bugs are rarely in the "math" part of code, and more often in the surrounding stuff that handles content.

I'n guessing there is some sort of issue here where a cracker can expose data by sending a malformed email. So it's more like disabling a door lock that somebody could use to give you an electric shock...

Re:Weird Advice

[SigmundFloyd]

The key word was *automatically*

And that key word makes me think that this might have something to do with passphrase caching.

Re: Weird Advice

They exist. They are gun shaped.
You just put it in and pull the trigger a few times and it's open.

Re:Weird Advice

[cryptizard]

Nope, the problem is that an adversary can send you a carefully crafted email, which inside of it has an old encrypted email that they want to break into, and due to automatic decryption and rendering of HTML elements the plaintext of that encrypted email gets exfiltrated to a target server. The core issue is actually in the way MIME works with multi-part emails where you are allowed to have some unencrypted HTML and some encrypted segments together in the same email.

Re:Weird Advice

[cryptizard]

No, it is a problem with mixed-messages which can have unencrypted HTML next to encrypted text. You can trick the client into decrypting a message you send to them and giving it back to you.

Re:Weird Advice

[nine-times]

Ok, so I'm not 100% right but not 100% wrong. It's not that they can compromise your system, but they can compromise your other encrypted messages.

To reframe the metaphor, it's not "We've discovered that locks can be picked, so remove locks from all of your doors." It's more like, "We've discovered that there's a way that sticking your key into a malicious lock might allow them to scan your key and unlock your doors. Don't go sticking your key into unknown locks." Or something.

Re:Weird Advice

[gweihir]

This should come as no surprise at all. Automatic decryption of emails is insecure, pretty much by definition. Anybody using that does not have security as it takes one tiny flaw somewhere else to exploit that. Also, automatically loading external stuff in an email reader is pretty much insane.

Re:Weird Advice

[swillden]

"Don't go sticking your key into unknown locks."

More like "Stop using the automatic door unlocking tool". The analogy really doesn't work, but the point is that if you continue automatically decrypting emails with a buggy mail client, an attacker can arrange to be able to read emails encrypted to you.

Re:Weird Advice

[nine-times]

More like "Stop using the automatic door unlocking tool".

Yeah, but it's more like, "Don't have your automatic door unlocking tool automatically unlock any door that any random stranger might send to you."

Like you said, the analogy doesn't work.

Re: Weird Advice

[Brockmire]

Put the gun in the keyhole? That's not going to fit unless the gun is the size of your dick?

Re:Weird Advice

[Darinbob]

Yes, but some hipster is going to complain that having to be asked to decrypt every message is cumbersome and not as cool.

Re:Weird Advice

[swillden]

More like "Stop using the automatic door unlocking tool".

Yeah, but it's more like, "Don't have your automatic door unlocking tool automatically unlock any door that any random stranger might send to you."

Like you said, the analogy doesn't work.

Right, but most email clients with S/MIME or PGP support do automatically decrypt and display any email. You have to click on it first, but why wouldn't you? Obviously the attacker would make sure the From and Subject fields contain values you'd expect to see... probably just use the ones from the email they intercepted and modified.

Re:Weird Advice

[swillden]

Yes, but some hipster is going to complain that having to be asked to decrypt every message is cumbersome and not as cool.

And that still wouldn't help. Because how would anyone (hipster or not) decide whether to decrypt the message? The only information you have before the message is decrypted and displayed is the subject and sender, and the attacker will arrange for both of those to be things you'd expect to be legitimate. The attacker is someone who can intercept and modify your legitimate email, remember.

Or any other encryption

[jbmartin6]

The problem is the clients decrypt, then process any external requests for content. So if you can re-send an encrypted email with an external content request added to it, the client will happily decrypt then send the content request with your precious decrypted content. If you globally disable fetching any external content you don't have to worry. The encryption protocols all work fine, it is the behavior of the clients after the decryption that is the problem. So S/MIME would be affected too, or potentially any other encryption tool. Refusing to load any external content under any circumstances is good advice anyway.

Re:Or any other encryption

[xxxJonBoyxxx]

^^^ THIS ^^^ - PGP and SMIME are still fine. It's that dumb-ass software put secure (decrypted) and non-secure content into the same pot, and let the non-secure content broadcast the secure content out.

This site has the actual details (and paper): https://efail.de/

"EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago. The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker."

Re:Or any other encryption

[jbmartin6]

The kicker is, you can't control what your correspondent does with his email client, so any encrypted messages you have sent could be compromised in this way. But that was always the case since you would rely on the recipient to safeguard the keys anyway.

Re:Or any other encryption

[Mryll]

Ultimately you need to depend on them to safeguard the decrypted plaintext as well from any threat in the context

Re:Or any other encryption

[gweihir]

On a related note, this is _email_! Automatically loading anything externally is just as insane as automatically opening attachments. Have the people writing this broken email software learned absolutely nothing from the past?

Re:Or any other encryption

[gweihir]

Indeed. The recipient can just publish the email or send it to a 3rd party. You need to be able to trust people you send secrets to.

Re:Holy shit!

Isn't this supposed to be a peer reviewed protocol that was guaranteed to be secure? How long has this program existed? Holy shit.

The problem is in how email program plugins handle the mail after it's been decrypted, not in the underlying PGP/SMIME code.

Final straw. Computers are NOT secure. I'm done.

[Seven+Spirals]

PGP is broken now? It's only had fairly infrequent and minor issues over time. If this is broken now, then it's the final sign that anyone who thinks computers can be secured is wrong. If you want something secure, write it down in a notebook. It'll be about 100x more secure than putting it on a computer simply by not being networked. Even if someone steals and reads your notebook it's better than someone having it on their phone (or PGP, now I guess) for the ENTIRE WORLD to come along and steal. Computers are great for games, everything else is debatable.

Some advice is worth what you paid for it

[ugen]

Yes, indeed, some advice there. Because there is some potential for bad actors to possibly decrypt some of the PGP encrypted messages, if said messages include HTML with links to 3rd party sites (which your email client must display automatically), you need to **completely disable** email encryption. Then all of your email becomes clear text and, fully readable by anyone without effort, and thus you are completely safe from that vulnerability. SMH.

That wonderful advice is brought to you by researchers in no way sponsored by NSA or any other 3 letter agency.

For those worried - make sure your email client does not automatically display any embedded HTML links (or, better yet, just turn off HTML formatted email). I believe this is the default for Enigmail encrypted email anyway. Use plaintext, and you are as safe as cryptography allows. (I believe Enigmail authors posted a message to that effect).

Re:Some advice is worth what you paid for it

[PPH]

which your email client must display automatically

Must? I guess I'm in real trouble. Because I read my e-mail with elm. The standards police will be kicking in my door any minute now.

Re:Some advice is worth what you paid for it

[jeff4747]

you need to **completely disable** email encryption

And there's where your reading comprehension failed.

The recommendation is to disable automatic email decryption. Because a lot of email clients will automatically decrypt the email and then happily run the "active content" in that email (aka hit an external server to download images or other HTML-email-fun).

So go ahead an send emails encrypted. And go ahead and decrypt your emails...manually so that you're doing it in a place that will not automatically run the HTML.

Re:Some advice is worth what you paid for it

[ugen]

To quote myself: "there is some potential for bad actors to possibly decrypt some of the PGP encrypted messages, if said messages include HTML with links to 3rd party sites (which your email client must display automatically)".

Explanation: For bad actors to decrypt PGP encrypted messages, these messages must include HTML with links to 3rd party sites and your email client must display such links automatically.

Re:Some advice is worth what you paid for it

[ugen]

This is not what I see when I read articles on the topic. For example: https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

They suggest completely disabling or *uninstalling* tools that automatically decrypt PGP messages. There are multiple guides following this advisory that explain how to completely uninstall or disable Enigmail in email client (Thunerbird etc).

Re:Some advice is worth what you paid for it

[jeff4747]

They suggest completely disabling or *uninstalling* tools that automatically decrypt PGP messages

Hey look! It's exactly what I said.

Once again, the advice is not to stop using PGP or S/MIME. It's to not automatically decrypt messages because of HTML email.

Re:Some advice is worth what you paid for it

[gweihir]

Indeed. This whole problem comes from crappy clueless implementations and crappy clueless defaults. Turning off PGP completely is entirely the wrong reaction.

Bad HTML Mail Clients

[Xoc-S]

I'm no security expert, but allowing HTML mail to arbitrarily download embedded graphics in a mail client is just dumb. From my reading of the articles, doing that doesn't disable the problem, but keeps the information from escaping back to the malicious parties. This is a mail client problem triggering PGP to decrypt, then allowing the information to escape through embedded graphics, not a fundamental problem in PGP itself. Turning off HTML mail support at the client and just taking the text representation of the message looks like it completely defeats the hack. Tell me if I'm wrong.

Re:Bad HTML Mail Clients

[Carewolf]

I'm no security expert, but allowing HTML mail to arbitrarily download embedded graphics in a mail client is just dumb. From my reading of the articles, doing that doesn't disable the problem, but keeps the information from escaping back to the malicious parties. This is a mail client problem triggering PGP to decrypt, then allowing the information to escape through embedded graphics, not a fundamental problem in PGP itself. Turning off HTML mail support at the client and just taking the text representation of the message looks like it completely defeats the hack. Tell me if I'm wrong.

As a KMail user I have the default to never download HTML content. You would be surprised how many emails rely on it, though mostly newsletter that can usually be ignored, but sometimes website-integration messages are equally crappy. In Kmail it fortunately an option to override the external content for a single email at a time, so this bug would only affect you if you did a warned against security override on an encrypted email, in which case you are asking for it, and you can't really leak more than what the original idiot send as partially encrypted content.

Re:Bad HTML Mail Clients

[gweihir]

I am a security expert and I would upgrade that to "extremely dumb" as in "completely clueless about security". And no, you are not wrong. Also, having a correct MIME parser or taking the warning about missing integrity protection seriously also works to solve this. This is a problem on the side of the mail software affected.

Caveat: I have not looked at the finer details. I use mutt as mailer for anything encrypted with lynx as html-to-text filter and are decidedly not affected by any of this.

Re:Bad HTML Mail Clients

[gweihir]

And _that_ is a sane default. Do insecure things, be insecure. There is not even a story here except that apparently many makers of email software are really clueless about security.

Problem is in the MUAs, not really in OpenPGP

[freax]

From https://lists.gnupg.org/piperm... :

> 1. This paper is misnamed.
Indeed
> 2. This attack targets buggy email clients.
Exactly
> 3. The authors made a list of buggy email clients.
Well said.

The MUA should not allow *any* utilization of HTTP when rendering a HTML E-mail. Any form of doing that is a serious mistake. Not only because of what is reported here, but also because that way *that* use of HTTP will allow spammers to identify when you open the E-mail. They use that to know if your E-mail adress is still alive.

Serious MUAs don't do this without user consent. Most HTML components even have a explicit offline mode exactly for that reason. Meaning that they won't automatically go online and fetch things like the src url of an IMG.

Any MUA that does this without user consent is completely and utterly wrong. Especially in a security sensitive context. This is something most MUA developers know about and if not, should know.

Re:Holy shit!

[tinkerton]

Better mod this up because a lot of people will be getting this wrong.

Re:If you have nothing to hide

[PPH]

So, this isn't about my wearing pants?

Common sense for slashdotters is new for newbies

[nimbius]

What might be common sense for us is certainly not for newcomers to PGP or those being made to use PGP in a corporate environment as part of a 'best practice'

when you're sending a PGP message, it needs to be plaintext. HTML is simply too dangerous to be disarmed in every conceivable application. This means your email messages should be read in plaintext for PGP.

I also think the EFF is a bit paranoid in issuing a 'full stop' to using PGP until this is fixed. At worst, you should send a link to the PGP document you'd like the user to read (in plaintext of course.)

What spooks would like you to do...

[mi]

temporarily stop sending and especially reading PGP-encrypted email

Sounds like just what the spies would like you to do to gain temporary access to most communications that used to be encrypted, while disabling some of them...

Plaintext email FTW!

[93+Escort+Wagon]

Seriously - there’s no good reason for an email which is important enough to encrypt to include html or other “rich formatting” anyway. Just turn it all off.

Re:Plaintext email FTW!

email which is important enough to encrypt

That would be all email. Your local burglar doesn't need to know that you just told your wife you'll be home late. Your insurance company doesn't need to know you want your wife to pick up some beer on the way home. Your ad company doesn't need to know that you think Disaster Area is the hoopiest band ever, or that you just wished your father's brother's nephew's cousin's former roommate a happy birthday. Etc. There aren't any emails that don't need encryption.

Except spam. Those are the only emails that don't need to be encrypted.

Re:Plaintext email FTW!

[Kjella]

Seriously - thereâ(TM)s no good reason for an email which is important enough to encrypt to include html or other âoerich formattingâ anyway. Just turn it all off.

While that's true it's been a long time since I saw an exploit in actual HTML rendering code that didn't involve Javascript or some other active component. The problem is that email inherited the browser's "let's go out and gather all the bits and pieces" logic instead of being inline only, like if you could send text/html, text/css, image/jpeg as a MIME message and it'd render that HTML code styled using that CSS displaying that image in an <img> tag that would be fine for all but the most paranoid applications and you should always have a text/plain version for those. It's that it's not really a nicely formatted letter, it's just references to web bugs and various other crap somewhere else which kinda defeats the purpose of being mail-like. Then it's just a browser in drag.

Re:Final straw. Computers are NOT secure. I'm done

[Carewolf]

PGP is broken now? It's only had fairly infrequent and minor issues over time. If this is broken now, then it's the final sign that anyone who thinks computers can be secured is wrong. If you want something secure, write it down in a notebook. It'll be about 100x more secure than putting it on a computer simply by not being networked. Even if someone steals and reads your notebook it's better than someone having it on their phone (or PGP, now I guess) for the ENTIRE WORLD to come along and steal. Computers are great for games, everything else is debatable.

PGP is not broken. The way a few bad email clients are using it is broken. If you are not using Thunderbird you are safe with PGP. While S/MIME is comprised in every email client except modern Outlook, KMail, and mutt.

Re:Common sense for slashdotters is new for newbie

[Mordaximus]

I also think the EFF is a bit paranoid in issuing a 'full stop' to using PGP until this is fixed. At worst, you should send a link to the PGP document you'd like the user to read (in plaintext of course.)

The EFF said no such thing; they recommended uninstalling or disabling widgets that *automatically* decrypt in the MUA.

Are EFF creating panic? PGP is not broken.

[tomatocat]

>Immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email!

Re:Holy shit!

[Carewolf]

Isn't this supposed to be a peer reviewed protocol that was guaranteed to be secure? How long has this program existed? Holy shit.

The problem is in how email program plugins handle the mail after it's been decrypted, not in the underlying PGP/SMIME code.

And only for HTML emails, and only in Thunderbird, Apple Mail, Postbox and Airmail. So if you are using a better email client especially a non-Mac one you are fine.

My understanding is this applies to HTML email

[MAXOMENOS]

My understanding of this is that it applies only to HTML email - if you are using S/MIME and PGP/GnuPG with text-only emails, you should be fine. So why are EFF calling for disabling all PGP and GnuPG?

Re:My understanding is this applies to HTML email

The problem comes if you're using a client that can render HTML emails. The emails you've sent in the past might be plaintext, and you might just receive plaintext emails, but if HTML rendering is turned on, you could end up rendering an email an attacker sends you. So, if you just receive plaintext emails, just disable html rendering and you're fine.

Re:My understanding is this applies to HTML email

[gweihir]

The thing is that apparently most email software these days is badly broken and will not only gladly load external includes in HTML email, but also mess up the MIME parsing and ignore warnings about missing integrity protection. I feel pretty smug now that I am on mutt (and will remain on it as primary MUA), even though I had to add lynx as an HTML-to-text filter because some people feel it is acceptable to send HTML-only email. If this were just private email, I would have happily ignored these, but unfortunately it is business.

in other words:

This vulnerability affects those who have no idea how to use encrypted emails. HTML is not to be used in encrypted emails, neither is external references. In fact anyone who is versed in the secure use of email has any and all external references disabled. I do not care for your fancy font or for the background wall paper, If you refuse to attach any pertinent images directly to the email then they are not worth my time. Email is meant to be used as a direct method of communication, only the relevant portions need to be included and font and color are not relevant.

Personally i blame Microsoft for trying to get the masses to adopt email, if they had just left well enough alone then we wouldn't have half of the problems we do today.

Action required: Disable HTML

In other words, disable HTML rendering in your email client, and check for other external referencing stupidity it might have. All of which shouldn't be in your client in the first place. So get a better client.

Which again means that the problem isn't in PGP/GPG, and the "security" "researchers" are much busier drumming up hype than they're doing useful work. Which is par for the course in s'kiddie-land. But we already knew that too, of course.

Re:Action required: Disable HTML

[gweihir]

I agree, the behavior of these security "researchers" is really unethical and unacceptable. My initial reaction was that with an announcement this bombastic, it will likely turn out to not be an elephant but a mouse. And look, it is. And people with a secure set-up are not even affected, only people that use fundamentally insecure software in the first place.

Re:Holy shit!

[OtisSnerd]

The problem is in how email program plugins handle the mail after it's been decrypted, not in the underlying PGP/SMIME code.

And only for HTML emails, and only in Thunderbird, Apple Mail, Postbox and Airmail. So if you are using a better email client especially a non-Mac one you are fine.

According to the EFF notice, it also affects Outlook with the GPG4win plugin. Outlook also has builtin S/MIME checking, and oddly, that's been throwing errors on the signed emails I'm getting from the ClamAV list this morning...

Ha ha but seriouisly.

[Ungrounded+Lightning]

If you have nothing to hide... then why are you using PGP? It is only used by criminals and the like.

Ha, ha.

But seriously. If you have nothing to hide, do all your communication with your bank, mortgage holder, broker, 401(k) administrator, and doctor solely by postcard. And take the shades off your windows.

Law-abiding people have PLENTY to hide. And they have a RIGHT to hide it. The Fourth Amendment, among other parts of the constitution, explicitly recognizes this, and the Supreme Court has issued a ruling making explicit and binding an easy-to-understand "Right to Privacy" interpretation of a combination of several pieces of the Constitution.

Re:Holy shit!

[unrtst]

This all goes back to really stupid features being added to email. There is no good reason to load external resources into an email. Want to include an image in your email? Go for it, but include it in the email. Why the hell would an external image get automatically loaded in an email that I downloaded for offline reading?!?! If it's external, just provide a link to it. Hell, just get rid of HTML email altogether!

The CBC "gadget" vulnerability seems kinda scary (see https://efail.de/), but I'm fairly certain that a signed and encrypted message would identify these (modifying the encrypted message via CBC gadget will break the message signature). While one *can* send an encrypted message that is not signed, that's never actually done. So, if you get an encrypted message that is not signed, that set off an alarm in the email client and lock down that message (sandbox it).

This is 100% the fault of the email client implementations. FWIW, if you still use mutt or pine or alpine etc, you're safe for now. They did mention other backchannels, but didn't name any... maybe more will be disclosed on that later?

Re:Holy shit!

[martyros]

And only for HTML emails...

This could be misunderstood -- the whole point of the attack is that the attacker changes a non-HTML email into an HTML one. If your mail client doesn't support HTML (or displays the formatting but doesn't fetch anything) then you're fine.

...and only in Thunderbird, Apple Mail, Postbox and Airmail.

This isn't correct.

There are two bugs. One is a sort of braindead one which only affects a small number of clients (including Thunderbird and Apple Mail), and has nothing to do with PGP or SMIME.

The other one is more serious, and does have to do with SMIME and PGP. Basically, if an attacker has a copy of an email which is encrypted but not signed, and knows what some of the plaintext is exactly, she can splice out those bits and put in other bits. And basically all e-mails contain things like Content-type: text/plain. So, an attacker can modify that to Content-type: text/html\n\n <img src=.

Regarding this bug, the website says:

Our analysis shows that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients.

I agree that it's a bug for MUAs to automatically download external content in encrypted emails. But it's a much more understandable bug to make.

Re: Holy shit!

[Bradmont]

Nobody said open source is a panacea to make software secure, bit it *is* a prerequisite for a user to verify that a piece of software is secure. It's like politicians that don't reveal their tax returns: those that don't do it aren't necessarily crooked, and those that do aren't necessarily honest. But one of the criteria for being certain that they're honest is to be able to audit those returns.

EFF is correct about OpenPGP.

Either some didn't read the entire article or don't understand the need for authenticated encryption.

The issue the EFF is concerned about is that the OpenPGP spec doesn't mandate authenticated encryption and doesn't specify what to do if authentication fails.

The authentication tag could be as simple as the HMAC of the encrypted message using the symmetric key as the HMAC "secret". Attackers can't create provide a modified message that could be authenticated without knowing the shared key.

Have the minimum AES mode be GCM or other AEAD encryption modes such as ChaCha20-Poly1305.

The standard needs at least two new SHALLs 1) All encryption modes shall be AEAD. 2) Decryption process shall immediately stop if authentication fails and no part of the message is presented to the user.

Re:We fear ...

[thestuckmud]

We fear that the PGP software stores hiddenly the password of the user in the PGP-encrypted message.

I know it is hard to trust anything in a software ecosystem where the likes of RSA Security has been implicated in a security weakening scandal, and one could almost certainly hide data within an Open-PGP message (e.g. adding a private/experimental packet), but I also know that software I use does not do this. I say this because I have done the exercise of analyzing and decrypting Open-PGP messages produced by GnuPG, and I can account for every byte of each packet with the encrypted massages I have analyzed.

But don't trust me: Look up the RFC 4880 and check for yourself. You'll need to do some work because the protocol is klunky, but it is worth doing if you are seriously concerned.

Werner Koch's Response

[Grady+Martin]

https://lists.gnupg.org/piperm...

Re:Werner Koch's Response

[gweihir]

And that is just it. This thing is way blown out of proportion and it is attributing blame to the wrong tool (and people).

Re: Holy shit!

3 strawmen in one post? Wow we got a record boys.

Re:Holy shit!

[Gr8Apes]

This is 100% the fault of the email client implementations.

No, it isn't. Its yet another open source failure. Many eyes.. haha

It absolutely IS the fault of email clients. PGP/GPG doesn't go out and load remote content.

Re:Holy shit!

[Gr8Apes]

Apple Mail is fine, and I'm sure others are too, if you turn off "Load remote content". I did that a while ago because it's one of the ways FB and Google both track you.

Re:Final straw. Computers are NOT secure. I'm done

[Jahta]

PGP is broken now? It's only had fairly infrequent and minor issues over time. If this is broken now, then it's the final sign that anyone who thinks computers can be secured is wrong. If you want something secure, write it down in a notebook. It'll be about 100x more secure than putting it on a computer simply by not being networked. Even if someone steals and reads your notebook it's better than someone having it on their phone (or PGP, now I guess) for the ENTIRE WORLD to come along and steal. Computers are great for games, everything else is debatable.

PGP is not broken. The way a few bad email clients are using it is broken. If you are not using Thunderbird you are safe with PGP. While S/MIME is comprised in every email client except modern Outlook, KMail, and mutt.

If you are using Thunderbird and you have disabled loading remote content in messages (which you should be doing anyway) then this issue (which relies on automatic execution of embedded remote URLs) won't affect you. HTML emails are the real problem here.

Clickbait. Does not affect sane mailers...

[gweihir]

And really has not much to do with PGP/GnuPG either, it is about the insane HTML integration in email software that can leak data if external resources are loaded automatically and, apparently, your email is decrypted automatically. If you have either of these, your security has gone out of the window long before the present issue was discovered. Also seems to require a broken MIME parser. Hence this is an issue with mailers, not with PGP/GnuPG (or rather the OpenPGP format). Pretty much the same screw-up by email software makers also affects S/MIME, only it suffers from missing authenticated encryption in addition.

Bottom line, a sane set-up that only renders HTML (or refuses it completely like I used to, these days I convert it to text with lynx), but does not fetch/execute anything should be safe from this. And yes, you should definitely use PGP/GnuPG, despite what some people say.

The other bottom line is that many people making email software have really, really screwed up here. The makers of PGP/GnuPG have not.

Re:Final straw. Computers are NOT secure. I'm done

[gweihir]

PGP is very much _not_ broken. Some wannabee mail software is badly broken in how it handles HTML, MIME and PGP integration. This is also not a surprise at all. There is a reason many of us still use mutt or elm or the like at least for encrypted email.

Re:Holy shit!

[gweihir]

Nothing is "guaranteed to be secure". Incidentally, it is not PGP or GnuPG that is at fault here. It is fundamentally broken and insecure HTML and MIME parsing in the email software affected. PGP/GnuPG is perfectly fine.

Re:Holy shit!

[gweihir]

This is 100% the fault of the email client implementations. FWIW, if you still use mutt or pine or alpine etc, you're safe for now.

Oh, yes. Mutt user here (at least for encrypted email), because I have never trusted these messed up insecure jokes that pass for email software these days. Automatically loading stuff from external places in this way is an instant security fail. Nobody with a clue is surprised this can be exploited.

Re:Holy shit!

[gweihir]

PGP/GnuPG also does no MIME parsing, which must be broken as well to allow the attack. This is 100% incompetent implementation of email software by people that are clueless about security.

I also have to say I find all the alarmists here a disgrace. Clueless, arrogant and panicky, a very bad combination.

Re:Holy shit!

[Carewolf]

Apple Mail is fine, and I'm sure others are too, if you turn off "Load remote content". I did that a while ago because it's one of the ways FB and Google both track you.

True, but it really should be default off, and be warned against turning on.

Re: Holy shit!

[Narcocide]

Why does this post make me sure you're the one who wrote it?

Re:Holy shit!

[Darinbob]

A lot of security flaws arise from someone wanting to improve the "user experience". We've known almost forever that convenience the enemy of security.

Re:Holy shit!

[Srin+Tuar]

> The problem is in how email program plugins handle the mail after it's been decrypted, not in the underlying PGP/SMIME code.

Apparently thats wrong; it seems that core vulnerabilities lie inside the use of the gpg and smime protocol implementations themselves.

In particular, the lack of a valid message digest, and the default behavior of returning decryption results (or even attempting decryption) when the digest is invalid is the core problem.

If tampered encrypted payloads are detected, *decryption must not be attempted*

It seems over gnupg is vulnerable to this attack.

Re:Holy shit!

[Srin+Tuar]

> is not PGP or GnuPG that is at fault here

They are at fault for violating the "enc then mac" principle.

They should not return decrypted content of tampered messages, and if they didnt the gadget weakness would not exist.

This is absolutely a crypto issue in addition to an email client issue.

Re:Holy shit!

[unrtst]

(Sorry... I know you were probably just riffing on the recursive acronym)
AFAIK, Elm doesn't support S/MIME nor GPG/PGP (though you can pipe stuff out to gpg to view the plain text, obviously). I'm not even sure Elm is Y2K compliant (according to http://www.instinct.org/elm/, "Update 06th Jan 2000: elm 2.4 is not Y2K compliant."). There are other, and more modern, terminal based email clients that may be worth mentioning. And there are older mail clients that also don't support S/MIME ("mail" from mailutils).

Re:Holy shit!

[Gr8Apes]

I agree, it would be better. But imagine the tsunami of customer support calls when people complain they can't see their FB notification emails.

Re:Holy shit!

[gweihir]

Read the description of the problem again.

Re: Holy shit!

[Bradmont]

You clearly didn't even read my comment, so I won't bother crafting a response either.