oss-sec mailing list archives

Re: PGP/MIME and S/MIME mail clients vulnerabilities

From: Brian May <brian () linuxpenguins xyz>
Date: Tue, 15 May 2018 17:40:04 +1000

Yves-Alexis Perez <corsac () debian org> writes:

So, as far as I can tell, in that attack scenario (where the attacker has
read/write access to encrypted mails):

- S/MIME is completely broken at the protocol level since it has no way to
defend against blind modification. Only mitigation for the clients are to
prevent HTML mails and/or prevent loading of external resources. There might
be other avenues to exploit the vulnerability in the future though.

- PGP/MIME is a bit safer because the OpenPGP format compresses plaintext
before encryption (which makes it harder for the attacker) and has some kind
of authenticated (symmetric) encryption (the MDC), which helps gnupg detects
modifications to the cyphertext. Most mail clients properly handle gnupg hints
when something went wrong but the external interface is a bit fragile (gnupg
will still output the cleartext, for example). One exception is apparently
Thunderbird with enigmail before 2.0.0, but this is now fixed (I didn't find
the proper commit yet). Again, not displaying HTML mails and not allowing
remote content loading can help, but other “backchannels” might be found in
the future.


Have a look at some official statements on this:

* https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html
* https://protonmail.com/blog/pgp-vulnerability-efail/

For the case of PGP it sounds like the only problems occur when mail
clients ignore the GPG hints.

For S/MIME, it does sound like the standard is broken and needs fixing.

If I understand this correctly, the "Direct Exfiltration" is an attack
that doesn't require modifying the encrypted data - so presumably the
MDC in PGP won't help. To me this sounds like a email client problem
(allowing mixing encrypted and encrypted data in the one HTML document
seems like a very bad idea), but the https://efail.de/ page says the
standards need to be updated to fix this.
-- 
Brian May <brian () linuxpenguins xyz>
https://linuxpenguins.xyz/brian/

Current thread:

PGP/MIME and S/MIME mail clients vulnerabilities Yves-Alexis Perez (May 14)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Jakub Wilk (May 14)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Christian Brabandt (May 14)
  - Re: PGP/MIME and S/MIME mail clients vulnerabilities Yves-Alexis Perez (May 14)
    - Re: PGP/MIME and S/MIME mail clients vulnerabilities Brian May (May 15)
    - Re: PGP/MIME and S/MIME mail clients vulnerabilities Yves-Alexis Perez (May 15)
    - Re: PGP/MIME and S/MIME mail clients vulnerabilities Leo Gaspard (May 15)
    - Re: PGP/MIME and S/MIME mail clients vulnerabilities Brian May (May 16)
    - Re: PGP/MIME and S/MIME mail clients vulnerabilities Brian May (May 16)
  - Re: PGP/MIME and S/MIME mail clients vulnerabilities Florian Weimer (May 15)
    - Re: PGP/MIME and S/MIME mail clients vulnerabilities Yves-Alexis Perez (May 16)
    - Re: PGP/MIME and S/MIME mail clients vulnerabilities Matthew Fernandez (May 16)
    - Re: PGP/MIME and S/MIME mail clients vulnerabilities Florian Weimer (May 22)