Re: Vulnerable clients (was: US-CERT now issuing a warning for OpenPGP-SMIME-Mail-Client-Vulnerabilities)
El día Tuesday, May 15, 2018 a las 10:44:16AM +0200, Werner Koch escribió: > On Tue, 15 May 2018 03:31, je...@seibercom.net said: > > NCCIC encourages users and administrators to review CERT/CC’s Vulnerability > > Note VU #122919. > > Doesn't CERT read the paper before produciong a report? The table of > vulnerable MUAs is easy enough to read. To better see what we are > discussing, here is the table in plain text format with the check marks > replaced by yes and no. > > --8<---cut here---start->8--- > TABLE OF VULNERABLE MAIL CLIENTS > > | OS | Client | S/MIME | PGP | > | | || -MDC | +MDC | SE | > |-+-++--+--+-| > | Windows | Outlook 2007| yes| yes | yes | no | > | | Outlook 2010| yes| no | no | no | > | | Outlook 2013| user | no | no | no | > | | Outlook 2016| user | no | no | no | > | | Win. 10 Mail| yes| –| –| – | > | | Win. Live Mail | yes| –| –| – | > | | The Bat!| user | no | no | no | > | | Postbox | yes| yes | yes | yes | > | | eM Client | yes| no | yes | no | > | | IBM Notes | yes| –| –| – | > | Linux | Thunderbird | yes| yes | yes | yes | > | | Evolution | yes| no | no | no | > | | Trojitá | yes| no | no | no | > | | KMail | user | no | no | no | > | | Claws | no | no | no | no | > | | Mutt| no | no | no | no | > | macOS | Apple Mail | yes| yes | yes | yes | > | | MailMate| yes| no | no | no | > | | Airmail | yes| yes | yes | yes | > | iOS | Mail App| yes| –| –| – | > | | Canary Mail | – | no | no | no | > | Android | K-9 Mail| – | no | no | no | > | | R2Mail2 | yes| no | yes | no | > | | MailDroid | yes| no | yes | no | > | | Nine| yes| –| –| – | > | Webmail | United Internet | – | no | no | no | > | | Mailbox.org | – | no | no | no | > | | ProtonMail | – | no | no | no | > | | Mailfence | – | no | no | no | > | | GMail | yes| –| –| – | > | Webapp | Roundcube | – | no | no | yes | > | | Horde IMP | user | no | yes | yes | > | | AfterLogic | – | no | no | no | > | | Rainloop| – | no | no | no | > | | Mailpile| – | no | no | no | > > > -= Encryption not supported > no = Not vulnerable > yes = Vulnerable > user = Vulnerable after user consent > > -MDC = with stripped MDC, +MDC = with wrong MDC, SE = SE packets > --8<---cut here---end--->8--- > > My conclusion is that S/MIME is vulnerable in most clients with the > exception of The Bat!, Kmail, Claws, Mutt and Horde IMP. I take the > requirement for a user consent as non-vulnerable. Most of the > non-vulnerable clients use GnuPG as their engine. Werner, my conclusion in addition is that the table is incorrect. Most (if not even all) of the MUA which are noted for Linux do run on nearly any other UNIX flavor, FreeBSD, OpenBSD, ... and mutt in addition runs on Canonical Ubuntu for smartphones/tablets and UBports devices. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Vulnerable clients (was: US-CERT now issuing a warning for OpenPGP-SMIME-Mail-Client-Vulnerabilities)
On Tue, 15 May 2018 03:31, je...@seibercom.net said: > NCCIC encourages users and administrators to review CERT/CC’s Vulnerability > Note VU #122919. Doesn't CERT read the paper before produciong a report? The table of vulnerable MUAs is easy enough to read. To better see what we are discussing, here is the table in plain text format with the check marks replaced by yes and no. --8<---cut here---start->8--- TABLE OF VULNERABLE MAIL CLIENTS | OS | Client | S/MIME | PGP | | | || -MDC | +MDC | SE | |-+-++--+--+-| | Windows | Outlook 2007| yes| yes | yes | no | | | Outlook 2010| yes| no | no | no | | | Outlook 2013| user | no | no | no | | | Outlook 2016| user | no | no | no | | | Win. 10 Mail| yes| –| –| – | | | Win. Live Mail | yes| –| –| – | | | The Bat!| user | no | no | no | | | Postbox | yes| yes | yes | yes | | | eM Client | yes| no | yes | no | | | IBM Notes | yes| –| –| – | | Linux | Thunderbird | yes| yes | yes | yes | | | Evolution | yes| no | no | no | | | Trojitá | yes| no | no | no | | | KMail | user | no | no | no | | | Claws | no | no | no | no | | | Mutt| no | no | no | no | | macOS | Apple Mail | yes| yes | yes | yes | | | MailMate| yes| no | no | no | | | Airmail | yes| yes | yes | yes | | iOS | Mail App| yes| –| –| – | | | Canary Mail | – | no | no | no | | Android | K-9 Mail| – | no | no | no | | | R2Mail2 | yes| no | yes | no | | | MailDroid | yes| no | yes | no | | | Nine| yes| –| –| – | | Webmail | United Internet | – | no | no | no | | | Mailbox.org | – | no | no | no | | | ProtonMail | – | no | no | no | | | Mailfence | – | no | no | no | | | GMail | yes| –| –| – | | Webapp | Roundcube | – | no | no | yes | | | Horde IMP | user | no | yes | yes | | | AfterLogic | – | no | no | no | | | Rainloop| – | no | no | no | | | Mailpile| – | no | no | no | -= Encryption not supported no = Not vulnerable yes = Vulnerable user = Vulnerable after user consent -MDC = with stripped MDC, +MDC = with wrong MDC, SE = SE packets --8<---cut here---end--->8--- My conclusion is that S/MIME is vulnerable in most clients with the exception of The Bat!, Kmail, Claws, Mutt and Horde IMP. I take the requirement for a user consent as non-vulnerable. Most of the non-vulnerable clients use GnuPG as their engine. For OpenPGP I see lots of no and only a few vulnerable clients: Support for Outlook 2007 has long been dropped and Gpg4win/GpgOL gives a big warning when you try to use it with OL2007. All other Outlook versions are not vulnerable. The case for Thunderbird/Enigmail is not that clear because the researcher confirmed that Enigmail 2.0 is in general not vulnerable; we don't know which version of Enigmail was tested. I don't know Postbox, Apple mailers or Horde IMP. Salam-Shalom, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpi85UbTinFW.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
US-CERT now issuing a warning for OpenPGP-SMIME-Mail-Client-Vulnerabilities
NCCIC encourages users and administrators to review CERT/CC’s Vulnerability Note VU #122919. https://www.us-cert.gov/ncas/current-activity/2018/05/14/OpenPGP-SMIME-Mail-Client-Vulnerabilities -- Jerry ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
