US-CERT now issuing a warning for OpenPGP-SMIME-Mail-Client-Vulnerabilities

NCCIC encourages users and administrators to review CERT/CC’s Vulnerability Note VU #122919. https://www.us-cert.gov/ncas/current-activity/2018/05/14/OpenPGP-SMIME-Mail-Client-Vulnerabilities -- Jerry ___ Gnupg-users mailing list

Re: Efail or OpenPGP is safer than S/MIME

Werner Koch, wk, at gnupg.org wrote on Mon May 14 19:32:18 CEST 2018: ... I am all in favor of this and even considered to that some time ago. However, not too long ago we removed support for PGP-2 keys which unfortunately resulted in lots of angry mails from people who now think they need to use

Re: Efail or OpenPGP is safer than S/MIME

Hi On Monday 14 May 2018 at 1:33:03 PM, in , Fiedler Roman wrote:- > This would also prevent many other programming > errors: e.g. if gpg > claims to have processed 2 signed messages, a client > has to verify, > that it also

Re: Don't Panic.

> I'm going to add this to the HN thread. I trust that's OK. Go for it. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't Panic.

On 05/13/2018 08:27 PM, Robert J. Hansen wrote: > [taps the mike] > > Hi. I maintain the official GnuPG FAQ. So let me start off by > answering a question that is certainly about to be asked a lot: "Should > we be worried about OpenPGP, GnuPG, or Enigmail? The EFF's advising us > to uninstall

Re: Don't Panic.

> On 14 May 2018, at 14:47, Dan Kegel wrote: > > Anyway, if you have a checkbox for 'automatically decrypt', you might > consider unticking it.) This may not be sufficient. It’s not just automatic decryption but any decryption at all in the client that can trigger a callback.

Re: Efail or OpenPGP is safer than S/MIME

> On 14 May 2018, at 18:32, Werner Koch wrote: > > On Mon, 14 May 2018 15:44, andr...@andrewg.com said: > >> This all exposes one of the difficulties with trying to manage security >> software in a decentralised ecosystem. We end up in arguments over whose > > That is actually

Re: Efail or OpenPGP is safer than S/MIME

> On 14 May 2018, at 18:57, Lars Noodén wrote: > > How feasible would it be to strip or disable encryption in a fork of an > old version and just leave it capable of decryption? I’m sure it’s feasible, but it doesn’t address this issue or any other kind of oracle,

Re: Efail or OpenPGP is safer than S/MIME

On Mon, 14 May 2018 15:44, andr...@andrewg.com said: > This all exposes one of the difficulties with trying to manage security > software in a decentralised ecosystem. We end up in arguments over whose That is actually easy compared to a system which is also designed to protect data at rest.

Re: Don't Panic.

On 14/05/2018 08:27, Robert J. Hansen wrote: > Werner saw a preprint of this paper some time ago. I saw it recently. > Patrick Brunschwig of Enigmail saw it. None of us are worried. Out of > respect for the paper authors I will skip further comment until such > time as the paper is published. >

Re: Don't Panic.

On 14/05/2018 08:27, Robert J. Hansen wrote: > Werner saw a preprint of this paper some time ago. I saw it recently. > Patrick Brunschwig of Enigmail saw it. None of us are worried. Out of > respect for the paper authors I will skip further comment until such > time as the paper is published. >

Re: Don't Panic.

Thanks for the heads up! (The eff alert only suggests disabling tools that *automatically* decrypt messages, Stumbling around a bit on the net, this sounds like a rehash of https://sourceforge.net/p/enigmail/bugs/226/ Anyway, if you have a checkbox for 'automatically decrypt', you might consider

Re: Efail or OpenPGP is safer than S/MIME

On 14/05/18 13:42, Robert J. Hansen wrote: >> If I read it correctly, it also has another attack, no longer based on >> user agents concatenating HTML mime parts, but also based on CFB >> gadgets. Which, here, looks like a flaw in the OpenPGP specification >> indeed (and thus GnuPG's

AW: Efail or OpenPGP is safer than S/MIME

> Von: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] Im Auftrag von > > On 14/05/18 12:25, Robert J. Hansen wrote: > > The problem is that gpg doesn't say anything. I would expect a > > DECRYPTION_FAILED message here: > > So perhaps the solution is to throw a big warning and prompt when an

Re: Efail or OpenPGP is safer than S/MIME

> If I read it correctly, it also has another attack, no longer based on > user agents concatenating HTML mime parts, but also based on CFB > gadgets. Which, here, looks like a flaw in the OpenPGP specification > indeed (and thus GnuPG's implementation of it), and not in MUAs? MDCs stop it dead.

Re: Efail or OpenPGP is safer than S/MIME

On 05/14/2018 09:45 AM, Werner Koch wrote:> The topic of that paper is that HTML is used as a back channel to create > an oracle for modified encrypted mails. It is long known that HTML > mails and in particular external links like > are evil if the MUA actually honors them (which many meanwhile

Efail press release

Over the last few hours, Werner, Andre, and I have been working on an official statement about the Efail paper. Without further ado, here it is. An Official Statement on New Claimed Vulnerabilities == = == === === === by the GnuPG and Gpg4Win teams (This

Re: Mailpile on Efail

On Mon, 14 May 2018 13:47, r...@sixdemonbag.org said: > Short version: Mailpile isn't impressed, either, and is a little annoyed > they were mistakenly listed as being vulnerable. Yes, all green in the table for Mailpile. GgpOL (Gpg4win's Outlook plugin) is also claimed to be vulnerable but the

Re: Efail or OpenPGP is safer than S/MIME

On 14/05/18 12:25, Robert J. Hansen wrote: > The problem is that gpg doesn't say anything. I would expect a > DECRYPTION_FAILED message here: So perhaps the solution is to throw a big warning and prompt when an integrity check failure is thrown by gnupg? That would mitigate the current issue, but

Mailpile on Efail

https://www.mailpile.is/blog/2018-05-14_PGP_Security_Alert.html Short version: Mailpile isn't impressed, either, and is a little annoyed they were mistakenly listed as being vulnerable. signature.asc Description: OpenPGP digital signature ___

Re: Efail or OpenPGP is safer than S/MIME

On 14/05/18 12:23, Robert J. Hansen wrote: > It's worth noting, incidentally, the #Efail attack flat-out requires > MIME. So inline PGP messages are not vulnerable, as there's no MIME > parsing pass which can be exploited. So you're *still* safe I wouldn't be that confident. I haven't tested

Re: Efail or OpenPGP is safer than S/MIME

... and Patrick, moving faster than the speed of light, already has the bug triaged and bounced back. This is actually a GnuPG bug, not an Enigmail bug. From Patrick: = The problem is that gpg doesn't say anything. I would expect a DECRYPTION_FAILED message here: [GNUPG:] ENC_TO

Re: Efail or OpenPGP is safer than S/MIME

> Argh, I meant to say 3DES of course, not MD5. Sorry. It's worth noting, incidentally, the #Efail attack flat-out requires MIME. So inline PGP messages are not vulnerable, as there's no MIME parsing pass which can be exploited. So you're *still* safe, although this is still a bug that should

Re: Efail or OpenPGP is safer than S/MIME

On 14/05/18 12:13, Andrew Gallagher wrote: > I tried again using CAST5 instead of MD5 to bypass the smartcard bug. Argh, I meant to say 3DES of course, not MD5. Sorry. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___

Re: Efail or OpenPGP is safer than S/MIME

Fascinating. I've thrown it over to Patrick: we'll look into it and get back in touch soon. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Efail or OpenPGP is safer than S/MIME

On 14/05/18 10:42, Robert J. Hansen wrote: > ... Yep, GnuPG will warn you the message was not integrity protected. > Your email client should see this warning and refuse to render the message. I tried again using CAST5 instead of MD5 to bypass the smartcard bug. The news is not good. ```

Re: Efail or OpenPGP is safer than S/MIME

On 14/05/18 10:42, Robert J. Hansen wrote: > ... Yep, GnuPG will warn you the message was not integrity protected. > Your email client should see this warning and refuse to render the message. Yes, but that's not as serious as the error thrown for an unprotected AES message. Do mail clients treat

Re: Efail or OpenPGP is safer than S/MIME

>> We hesitate to require the MDC also for old algorithms (3DES, CAST5> >> because a lot of data has been encrypted using them in the first >> years of OpenPGP. > > So if someone sends me a 3DES-encrypted mail it won't check the MDC? > Doesn't gpg still support reading 3DES? Let's try it and find

Re: Efail or OpenPGP is safer than S/MIME

On 14/05/18 10:15, Robert J. Hansen wrote: >> I see that MDC is the default for all modern ciphers, but does that imply >> that MDC *checking* is the default? > MDC is an attribute of the packet, not the cipher. By default, all > ciphers in the GnuPG suite use MDC. OK, but from Werner's link

Re: Efail or OpenPGP is safer than S/MIME

> So how do we enforce MDC checking at the receiving end? I assume this is > something that has to be handled by the calling program at the moment. By default, GnuPG will scream bloody murder if a message lacks an MDC or if the MDC is invalid. At that point it's up to your email client to pay

Re: Efail or OpenPGP is safer than S/MIME

Hi! I digged in my mail archives and found a discussion with Sebastian Schinzel about a work in progress thing which turned out to not being a GnuPG problem. Here is a timeline with my messages. On 2017-11-24 we were asked for the encryption keys of the security at gnupg.org address. On the

Re: Efail or OpenPGP is safer than S/MIME

On 14/05/18 08:45, Werner Koch wrote: > The topic of that paper is that HTML is used as a back channel to > create an oracle for modified encrypted mails. This confirms that my forensic analysis of the wording of the announcement was sound. ;-) The good thing is that oracle attacks are *noisy*,

Re: Efail or OpenPGP is safer than S/MIME

The following is what I wrote to a journalist covering the story: = We've known about problems in OpenPGP's feedback mode for at least thirteen years. (See https://eprint.iacr.org/2005/033.pdf for an example.) The OpenPGP working group resolved these problems by adopting modification

Don't Panic.

[taps the mike] Hi. I maintain the official GnuPG FAQ. So let me start off by answering a question that is certainly about to be asked a lot: "Should we be worried about OpenPGP, GnuPG, or Enigmail? The EFF's advising us to uninstall it!"

Attention PGP Users: New Vulnerabilities Require You to Take Action Now

| A group of European security researchers have released a warning | about a set of vulnerabilities affecting users of PGP and S/MIME. | EFF has been in communication with the research team, and can | confirm that these vulnerabilities pose an immediate risk to | those using these tools for email

Efail or OpenPGP is safer than S/MIME

Hi! Some may have noticed that the EFF has warnings about the use of PGP out which I consider pretty overblown. The GnuPG team was not contacted by the researchers but I got access to version of the paper related to KMail. It seems to be the complete paper with just the names of the other MUAs

Re: smartcards and GPGME

On Mon, 14 May 2018 00:26, tookm...@gmail.com said: > the smartcard from an application. While this can be done from gpg, it > doesn't look like I can do so from GPGME or any other wrappers that > exist. Have I missed something or is this simply not possible yet? GPGME allows to do that. For

Re: smartcards and GPGME

Hi, On Sunday, May 13, 2018 6:26:04 PM CEST Jacob Adams wrote: > As part of a program I'm writing this summer for GSoC, I'd like to be > able to both move gpg private keys to a smartcard and generate keys on > the smartcard from an application. While this can be done from gpg, it > doesn't look