Fabio Pietrosanti (naif): > I just wanted to notice that the mostly used encryption software like > GnuPG and Enigmail, have some privacy leak that in the XKEYSCORE's ages > could represent a major risk. > > a) Enigmail, Thunderbird's PGP plugin, does send "X-Enigmail-Version:" > header on ALL email sent, also the unencrypted one. > > b) GnuPG, following the " -----BEGIN PGP MESSAGE-----", does add version > information such as " Version: GnuPG/MacGPG2 v2.0.19 (Darwin)" . > > So, from a adversary perspective monitoring traffic encrypted with GnuPG > and Enigmail, those are extremely valuable information to plan and > prepare for and end-point attack, profiling the end-user target. > > Are those pieces of information really needed to make the Enigmail / > GnuPG software working? >
When a user uses TorBirdy with Enigmail and Thunderbird, we disable those information leaks. We also have a mode (disabled by default due to user complaints) to remove the keyid of the recipient from the PGP encrypted message itself. All the best, Jacob -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
