On 14-05-18 12:53, Andi via Users wrote:
Hello,
today a new threat againts encrypted e-mail (PGP and S/MIME) is in the
news:
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
From what i understand the basic problem is that it is possible to
inject special data in already encrypted e-mail, which than will be
reported back after decryption with HTML URLs to the attacker and can be
used to derive the key used for encryption.
So i guess one would need the following conditions to be true for the
attack to succeed
- The MUA access external URLs to load content in HTML e-mail
(automatically)
- The e-mail will be decode despite the altered content (not vaild
signed at least)
- Probably many e-mails are needed to get the oracle attack to work?
So for Ciphermail there should be no direct problem because it does not
"read" the e-mail or obey URLs in the e-mail? But the question remains
if there is a possibilty to prevent the "vulnerable" clients againts
attack e-mail passing Ciphermail by not decrypting them or something
like that?
Maybe i'm totaly wrong, but thanks for any feedback on this
I'm still investigating the actual vulnerability but from what I have
read I would say it's more a vulnerability in email clients which can be
exploited to get parts of the plain text from a previously sent email.
To be vulnerable, the mail client should automatically retrieve remote
information (for example images or CSS files). Allowing your mail client
to automatically retrieve information from remote sources is strongly
discouraged anyway because it can also be used by trackers (1 pixel images).
The vulnerability is that an attacker can create an email containing
previously encrypted content which is then decrypted. The decrypted
content however is embedded into a link (image, css etc.). If the mail
client then tries to retrieve the remote link, it sends the URL (which
contains part of the email). The attacked then retrieves the link and
can extract the text.
To mitigate this, the first step would be to disallow your mail client
to retrieve remote content (so block loading remote content).
I will do some further analysis and see whether a server side fix can
work around the issue.
Kind regards,
Martijn Brinkers
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.
https://www.ciphermail.com
Twitter: http://twitter.com/CipherMail
_______________________________________________
Users mailing list
Users@lists.djigzo.com
https://lists.djigzo.com/lists/listinfo/users
