EFF -- Attention PGP Users: New Vulnerabilities Require You to Take Action Now

https://www.eff.org/deeplinks/2018/...w-vulnerabilities-require-you-take-action-now

https://twitter.com/seecurity/status/995906576170053633

 

Whoa. What?

I hope that at least files encrypted using GnuPG with only symmetric algorithm are safe. I recommended that for backup purposes and even there is one article written by me somewhere in the Internet.

 

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html

 

EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails.
https://efail.de

Full technical paper:
Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels [v0.9 Draft]
https://efail.de/efail-attack-paper.pdf

 

It's got to the point where we may as well just have a generic notice.

A vulnerability has been discovered in,
..enter the name of your favorite software..
This vulnerability reveals all of your private data to an attacker.

 

People Are Freaking Out That PGP Is ‘Broken’—But You Shouldn’t Be Using It Anyway
May 14, 2018
https://motherboard.vice.com/en_us/article/3k4nd9/pgp-gpg-efail-vulnerability

 

GnuPG developers (main open-source OpenPGP implementation) think this is not a hole in the current standard, because standard defines Modification detection codes. GnuPG implements MDCs, so this implementation is sound. Unfortunately a lot of email clients and GUIs for GnuPG are vulnerable.

 

Yeah, both Werner Koch and Robert J. Hansen downplay the severity of this, on http://lists.gnupg.org/mailman/listinfo/gnupg-users

There's also some good discussion at https://news.ycombinator.com/item?id=17064129

 

GnuPG implements MDC's yes, but does not enforce it:
https://twitter.com/matthew_d_green/status/995995769923502081?s=21

 

OK, so Thunderbird plus Enigmail is probably most popular in Linux. And according to Robert J. Hansen:[0]

So if you use Enigmail, do make sure that you're not at v1.99. Just get the add-on in Thunderbird.

Also, of course, make sure that external resources aren't being fetched.

0) https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060321.html

Edit: Oh, but damn. There's more in that thread. Enigmail >v2 can be forced to decrypt with MDC missing.[1] And this is a gpg bug:[2]

However:[3]

I also saw something about it requiring HTML decoding, but can't find it again

1) https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060325.html

2) https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060329.html

3) https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060328.html

More: Yes, disable HTML rendering. In Thunderbird, select "/ View / Message Body As / Plain Text".

And:[4]

So basically, 1) the attacker embeds a link to the encrypted message, 2) the email client fetches and decrypts it, and then 3) sends plaintext back to the attacker.

4) https://lists.cpunks.org/pipermail/cypherpunks/2018-May/042194.html

 

No, PGP is not broken, not even with the Efail vulnerabilities
Recently, news broke about potential vulnerabilities in PGP, dubbed Efail. However, despite reports to the contrary, PGP is not actually broken, as we will explain in this post.
May 15, 2018
https://protonmail.com/blog/pgp-vulnerability-efail/

 

OK, here's how it works. An attacker has some cyphertext that you created with OpenPGP. So they send you an HTML email, including the cyphertext. Your client decrypts the cyphertext, as usual. But the email is structured so that the resulting plaintext gets incorporated into the URL for an embedded image. So by fetching that "image", your client sends the plaintext to the attacker. An attacker could also generate link URLs that way.

Clever. The fundamental issue is that OpenPGP doesn't properly vet content piped to email clients. There's also the issue that some email clients don't properly handle warnings from OpenPGP.

But anyway, there are obvious security practices that block this exploit, even though OpenPGP is vulnerable. Don't render HTML. Only text. Don't fetch remote resources, such as embedded images. And inspect URLs before browsing them. URLs should comprise only host names, and simple folder and file names. No long random-looking strings.

And seriously, those have been my standard practice for well over a decade.

 

Agreed. I am that + crazy more. I still manually move my encrypted email/data to a separate place and then perform the decryption individually. Then I construct a remote response if desired and manually transfer that to a place to send my response. Its slow of course but I always trade convenience away for security. Its not a complete air gap but its close in a way. In the past few years I am only doing 10 or less encrypted emails a day. My system would be too labor intense if I were sending 50 emails like many years ago.

 

So is this using the same exploit as email tracking pixels use? A link embedded in an email to a tiny invisible remote image?

 

In a sense, yes.

It leverages how email clients typically decrypt stuff automatically. Say, to yield "this is my plaintext". And how they concatenate pieces of multipart emails. So the email client generates an embedded image URL like "https://foo.xyz/this is my plaintext". And "this is my plaintext" shows up in the server's web log, along with your IP address etc. Whether or not an image actually gets fetched doesn't matter.

 

Okay I'm no expert, but after reading up on this... I say it's yet another scare alert that really isn't. It's more about email clients not interfacing correctly with PGP not about OpenPGP. I'm not worried at all over this. I used Claws-Mail which according to the paper is not affected. That and I only exchange encrypted messages with a very small number of people, we use plaint text only.

 

Repeat x1000. HTML is irrevocably designed to leak information to the mainframe you're connected to, and clearly allows unconstrained connections to be made to all and sundry. It presumes display and makes it hard to process headless.

In other words, a security and privacy disaster.

In my opinion, email and web browsing should be ditched and secure messaging be used instead, with a schema (NOT HTML!!!!) which cleanly decouples parsing, processing, encryption/decryption and rendering of the content. So that, in an extreme case, the stages could happen in different address spaces (either sandboxes, virtual machines or physical machines). By agreeing a simple xml schema for instance, open source client code could parse content and make it available to the other stages of the process.

 

I just KNEW something was wrong with PGP over a year ago but just couldn't prove it. I expressed my concern to some, uhh, government agencies where I have contacts; silence followed.

 

Sure. But an adversary could have old encrypted messages. From one of your contacts, from a mail server, or whatever.

And they could send you one of these crafted messages, containing that cyphertext.

But if Claws-Mail truly isn't vulnerable, no problem.

 

This isn't primarily an OpenPGP issue. It's mainly about how email apps handle encrypted content.

 

Well stated!

 

I'm at the point where I almost don't care anymore because I know there is no point.
Once you understand that it is the agenda that private individuals should not have private communications then you have to know it is the job of multi billion dollar agencies to enforce that agenda. That is what they are paid to do.
The kind of budgets available means they have almost unlimited resources to assign thousands of coders to infiltrate, fork or take over open source projects for the purpose of breaking security, buy companies that create encryption products for the same reason and infiltrate others including organisations that develop and approve standards and protocols.
So regardless of this latest known email vulnerability, if the OS and other software is not recording keystrokes, taking screenshots, capturing passwords and encryption keys, implementing weakened encryption etc we might say those agencies are not worth a damn because they couldnt do the job they have been assigned to do.
But I think most would agree that is not accurate, they damn sure can do their job.

 

https://medium.com/@cipherpunk/efail-a-postmortem-4bef2cea4c08

 

@mirimir Best Post yet, spot on!!!

 

Statement from PGP developers about eFail
Recent news reports regarding “eFail” have contained significant errors regarding the security of PGP email encryption. It is necessary to correct the record.
May 24, 2018
https://protonmail.com/blog/pgp-efail-statement/