1. 22

EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails.

Here the paper.

  1.  

  2. 15

    It’s nice people are working on discovering these things. I wish they didn’t have to make a big publicity stunt out of it every time though.

    1. 3

      I’m sure there do exist some GPG users who have images set to download automatically, but the idea that every GPG user “must take action now” is absurd.

      1. 1

        If I understand this well, if someone that has history of exchanges with you doesn’t act, then he might leak some informations that you exchanged together. That’s why if everybody stops using it temporarily, it might help everybody.

        1. 6

          Proper use of PGP assumes trust both in every participant, in the hardware/software involved, and in the OPSEC skill of every corespondent. This “vulnerability” changes nothing. If you used PGP with a client that automatically downloaded imaged (extremely unlikely), you had been doing it wrong already.

        2. 1

          That’s not necessarily required – Thunderbird preloads content, but does not display it. So you’d be vulnerable there, too.

          1. 2

            OK, then Thunderbird is broken and badly needs to be fixed. This is true regardless of whether GPG is used or not.

            1. 2

              Thunderbird does not automatically download remote content: https://support.mozilla.org/en-US/kb/remote-content-in-messages. It does download entire messages, including attachments; but I would be very surprised if this were not common MUA behavior.

      2. 11

        I have to wonder how much time is spent during the researching of a vulnerability in coming up with the perfect dad-joke moniker for it and registering a domain name…

        1. 3

          Usually more time than alerting vendors and allowing them to come up with a fix. See also: Meltdown and Spectre.

          1. 5

            Really, you think six months was spent dreaming up the meltdown name?

            1. 1

              Did all vendors, including OpenBSD, get six months advanced notice with Meltdown?

              1. 5

                I don’t think it’s possible to draw any conclusions on the time spent naming the vuln from the list of vendors that weren’t notified.

        2. 8

          To prevent mutt from auto invoking GPG use the following in your ~/.muttrc:

          set pgp_decrypt_command = “false”
          set pgp_auto_decode = no
          set pgp_use_gpg_agent = no
          set crypt_autopgp = no
          set crypt_verify_sig = no
          set crypt_use_gpgme = no

          I found it still calling pgp_decrypt_command even after setting all other variables, hence preemptively setting it to “false” as we don’t know what triggers the vuln.

          1. 8

            At least by using mutt/neomutt, we’ve secured ourselves against HTML-based exfiltration attacks. :)

            1. 4

              Most HTML-aware MUA these days don’t auto-load external resources either

              1. 4

                Still I find it a bit worrying that mutt is so eager to shell out to a command by default and apparently ignoring the auto decode flag - wonder if there are more, less popular formats that make it try calling random stuff. @fcambus found plenty in Lynx when he started pledging it.

                1. 1
              2. 5

                The efail paper (warning: pdf) has a table that shows mutt has no exfiltration channels. I believe pgp to be safe with mutt in the context of the efail attacks.

                1. 1

                  yeah, when I wrote the comment the paper was not available yet (or I wasn’t yet aware it was published).

                1. 7

                  So as far as I see, this isn’t necessarily a bug with PGP “itself”, when used for signing git commits or used in combination with pass, but rather when sending encrypted emails. Or am I wrong?

                  1. 2

                    The first exploit, is definitely not PGP’s fault.

                    Unfortunately because I don’t know S/MIME, I can’t comment. But it seems like there is some inherent problem with the second attack affecting both it and PGP.

                    1. 2

                      CBC and CFB encryption modes use the previous blocks when encrypting new blocks. There are some weaknesses, and of course OpenPGP and S/MIME use them. That seems to be part of the problem. The other part is that stitching together multipart messages is something that email clients have no problem with doing, so shit HTML, can result in a query string that exfiltrates the content of the decrypted parts.

                      1. 2

                        OpenPGP mitigates those weaknesses with authenticated encryption (MDC). So it’s still only a problem if a broken MUA ignores decryption errors from gpg (or if the email in question is using a very old cipher. so, the attack may work if you auto-load remote content on encrypted emails from before 2000)

                        1. 1

                          OpenPGP mitigates those weaknesses with authenticated encryption (MDC). So it’s still only a problem if a broken MUA ignores decryption errors from gpg (or if the email in question is using a very old cipher. so, the attack may work if you auto-load remote content on encrypted emails from before 2000)

                  2. 3

                    A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. […]

                    The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

                    Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

                    Answer to some obvious questions are provided by one of researchers at this twitter thread

                    1. 12

                      They figured out mail clients which don’t properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation.

                      From GNU Privacy Guard on Twitter

                      Due to broken MIME parsers a bunch of MUAs seem to concatenate decrypted HTML mime parts which makes it easy to plant such HTML snippets.

                      There are two ways to mitigate this attack

                      • Don’t use HTML mails. Or if you really need to read them use a proper MIME parser and disallow any access to external links.

                      • Use authenticated encryption.

                      From Werner Koch

                      1. 4

                        Also: Don’t make mistakes. That’s important.

                        1. 4

                          HTML e-mail and PGP always seemed mutually exclusive to me :-)

                          1. 2

                            Don’t use HTML mails. Or if you really need to read them use a proper MIME parser and disallow any access to external links.

                            Appreciate the highlights. My friends and I just GPG-encrypt text or zip files that we mail to each other to avoid problems in email clients. Looks like we’ll be fine. :)