oss-sec mailing list archives
Re: debian: gpg --verify suggests entire file was verified, even if file contains auxiliary data
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 17 Apr 2013 20:44:22 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/17/2013 12:32 PM, Daniel Kahn Gillmor wrote:
On 04/17/2013 02:23 PM, Kurt Seifried wrote:I've run into this before, sadly enigmail (Thunderbird gpg plugin) displays the same green bar for message signed ok, but displays the text as "Part of the message signed" so unless you're really paying attention, you'll miss it. My thinking is this: 1) It's pretty easy to find signed content for people using GPG 2) It's pretty easy to append/embed signed content into a larger message So the attack would be: create malicious content/email, embed/append a valid message harvested from somewhere. Send to user. The user verifies then reads the message, unless they are really paying attention they probably won't notice that the content isn't signed properly (e.g. have an email, ton of whitespace, then the signed message). Personally I'm inclined to assign a CVE, enigmail for example does mostly the right thing (makes a distinction between fully signed and partially signed). I think GPG should too. Thoughts/comments before I assign this?A similar attack (related to PGP/MIME) has been under discussion on the enigmail list last month. see the thread starting at: https://lists.enigmail.net/pipermail/enigmail-users_enigmail.net/2013-March/000721.html I think the enigmail issues are distinct from the gpg issues, and i don't think they should be conflated into the same CVE. In particular, i see the enigmail issues as (security-related) UI/UX problems, but i see the gpg problems as (security-related) API/programmatic-use problems. By comparison with enigmail, thunderbird's native S/MIME verification routines display no cryptographic indicators at all if only part of a message is signed. This means that S/MIME-signed messages sent through common mailing list software which attaches a text/plain MIME footer (like mailman) will not indicate that they are verifiable at all. it's not a pretty set of tradeoffs. :/ --dkg
So I think first off we need to figure out what the behaviour should be. My thought would be that it should be quit explicit, e.g. "this entire message/file/etc. was signed by X" or "a part of this file/message/etc. was signed by X" and so on. The next challenge is how to signal it to the end user. One challenge with enigmail is it provides some of the signalling "in band" as it were (in the email text area) which can be modified by the attacker, and some of it "out of band: (at the top of the window area it puts the color bar and text to clarify. With GPG command line it can maybe say something like "part of this message was signed by X"? I'm inclined to assign a CVE to this type of vulnerability but I have no idea how we fix this _properly_. Anyone have ideas? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRb14FAAoJEBYNRVNeJnmTF/UQAI5niyrCCZ/MXR7kaP6ugzWA ldKWCMlI3D5GUyuQSabAiKDnNq5o6hevPkNs2RMBO4YtVin9cTcC3Obv3YAttSTQ N1H5JgroXO+1Q13v0pGJy1olw5SiTaWcyDMrAQ1EJpW5+E/yx+qNIkfMksZ8+NVH aokzOocX2LMQj7n1FjfB3gO8zIIhTTsRqCKX+cwfJZgJPD3FywySX3DsZZj2dRdo IgTuuYHAE+ZsNuV/rZO/Plv/KfzjBVu0RHxtaOnowaMZTDrw1LEcj8zPOKV/nOf5 m9IV4oMMSz6zVnlIDABBdj8dZFuPN1Kp72j9ox0fcQjy5E1c+ZQ1alFNg6MmoShm 3olCEX4cLmIRSnxB4G92Y80Pj2XmV/PKHrhwGZpggCGdTwEskXej8VcXiKFjH4JN sFpT8aHywKtP3GsWDx6fFkFe9Zy4ZPVlbfruySz9H4rFxywJJDbjoydDvBnhxzCy gffBcYnDPQ1YGnO8WrE8oNMT8jIeCEhOXvd73pgQCy/FvE68X3Q4keSvlwbR1TCE jfTGQqMS18yTshlISHF2rt9eOEkbDPzxHfFuOE/kWoYizqRfVjRW/WsZM+CYwVwH bkM+MGgyh7qa0Jb4eYHvqsl0EJkkp55Kuw3vCx3jcJpi3f6IXItpphgJt2rln4bQ Eop7WmP7qJR1/2y7ExFL =1b8Q -----END PGP SIGNATURE-----
Current thread:
- debian: gpg --verify suggests entire file was verified, even if file contains auxiliary data Thomas Biege (Apr 17)
- Re: debian: gpg --verify suggests entire file was verified, even if file contains auxiliary data Kurt Seifried (Apr 17)
- Re: debian: gpg --verify suggests entire file was verified, even if file contains auxiliary data Daniel Kahn Gillmor (Apr 17)
- Re: debian: gpg --verify suggests entire file was verified, even if file contains auxiliary data Kurt Seifried (Apr 18)
- partial signed message verification in MUAs [was: Re: debian: gpg --verify suggests entire file was verified, even if file contains auxiliary data] Daniel Kahn Gillmor (Apr 18)
- Re: debian: gpg --verify suggests entire file was verified, even if file contains auxiliary data Daniel Kahn Gillmor (Apr 17)
- Re: debian: gpg --verify suggests entire file was verified, even if file contains auxiliary data Kurt Seifried (Apr 17)