Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Privacy

Attention PGP Users: New Vulnerabilities Require You To Take Action Now (eff.org) 129

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. From a report: EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages. The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific).

In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication. Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.
Further reading: People Are Freaking Out That PGP Is 'Broken' -- But You Shouldn't Be Using It Anyway (Motherboard).
This discussion has been archived. No new comments can be posted.

Attention PGP Users: New Vulnerabilities Require You To Take Action Now

Comments Filter:
  • Weird Advice (Score:4, Insightful)

    by Carcass666 ( 539381 ) on Monday May 14, 2018 @09:51AM (#56608300)

    Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

    In other news, lock picks can be used to open up your model of door lock. We advise you to remove all door locks from your door until a lock pick proof lock can be engineered and installed.

    • Re:Weird Advice (Score:5, Interesting)

      by Kiliani ( 816330 ) on Monday May 14, 2018 @10:01AM (#56608358)

      The key word was *automatically* – although it is not always clear in the press what you are supposed to do. So confusion will abound. No surprise there.

      In the end, you can still use PGP, but you have to do more work to be safe. I think, if you understand how to use PGP to begin with, you can probably help yourself for now. If not, well ....

      In your terms: keep your locks. But disable the remote locking feature (take the battery out) and don't use your app to lock your house - use your good old key you stored away in a box a long time ago. Yes, you will have to do actual work. And yes, someone can still break in - probably through the window. Or by kicking in the door ...

      • The key word was *automatically*

        And that key word makes me think that this might have something to do with passphrase caching.

        • No, it is a problem with mixed-messages which can have unencrypted HTML next to encrypted text. You can trick the client into decrypting a message you send to them and giving it back to you.
      • by gweihir ( 88907 )

        This should come as no surprise at all. Automatic decryption of emails is insecure, pretty much by definition. Anybody using that does not have security as it takes one tiny flaw somewhere else to exploit that. Also, automatically loading external stuff in an email reader is pretty much insane.

    • I think that if you read between the lines, the problem isn't that PGP can be broken. The problem is that there's a vulnerability in the PGP code such that a specially-crafted payload can exploit it and compromise your system... somehow.

      That's why they're specifically warning not to automatically open PGP-encrypted messages. It implies that someone might send a malicious PGP message that could cause damage, so you should be careful about which messages you decrypt until this is fixed.

      • Re:Weird Advice (Score:4, Informative)

        by cryptizard ( 2629853 ) on Monday May 14, 2018 @11:43AM (#56609110)
        Nope, the problem is that an adversary can send you a carefully crafted email, which inside of it has an old encrypted email that they want to break into, and due to automatic decryption and rendering of HTML elements the plaintext of that encrypted email gets exfiltrated to a target server. The core issue is actually in the way MIME works with multi-part emails where you are allowed to have some unencrypted HTML and some encrypted segments together in the same email.
        • Ok, so I'm not 100% right but not 100% wrong. It's not that they can compromise your system, but they can compromise your other encrypted messages.

          To reframe the metaphor, it's not "We've discovered that locks can be picked, so remove locks from all of your doors." It's more like, "We've discovered that there's a way that sticking your key into a malicious lock might allow them to scan your key and unlock your doors. Don't go sticking your key into unknown locks." Or something.

          • "Don't go sticking your key into unknown locks."

            More like "Stop using the automatic door unlocking tool". The analogy really doesn't work, but the point is that if you continue automatically decrypting emails with a buggy mail client, an attacker can arrange to be able to read emails encrypted to you.

            • More like "Stop using the automatic door unlocking tool".

              Yeah, but it's more like, "Don't have your automatic door unlocking tool automatically unlock any door that any random stranger might send to you."

              Like you said, the analogy doesn't work.

              • More like "Stop using the automatic door unlocking tool".

                Yeah, but it's more like, "Don't have your automatic door unlocking tool automatically unlock any door that any random stranger might send to you."

                Like you said, the analogy doesn't work.

                Right, but most email clients with S/MIME or PGP support do automatically decrypt and display any email. You have to click on it first, but why wouldn't you? Obviously the attacker would make sure the From and Subject fields contain values you'd expect to see... probably just use the ones from the email they intercepted and modified.

            • Yes, but some hipster is going to complain that having to be asked to decrypt every message is cumbersome and not as cool.

              • Yes, but some hipster is going to complain that having to be asked to decrypt every message is cumbersome and not as cool.

                And that still wouldn't help. Because how would anyone (hipster or not) decide whether to decrypt the message? The only information you have before the message is decrypted and displayed is the subject and sender, and the attacker will arrange for both of those to be things you'd expect to be legitimate. The attacker is someone who can intercept and modify your legitimate email, remember.

    • Re:Weird Advice (Score:4, Insightful)

      by Carewolf ( 581105 ) on Monday May 14, 2018 @10:14AM (#56608442) Homepage

      Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

      In other news, lock picks can be used to open up your model of door lock. We advise you to remove all door locks from your door until a lock pick proof lock can be engineered and installed.

      Yeah, I can't help but think however said that had an agenda. It does appear Thunderbird is fully compromised, while most other email clients including outlook are only compromised for S/MIME, and even for that it is for Outlook only 2007 and earlier.

    • Encryption bugs are rarely in the "math" part of code, and more often in the surrounding stuff that handles content.

      I'n guessing there is some sort of issue here where a cracker can expose data by sending a malformed email. So it's more like disabling a door lock that somebody could use to give you an electric shock...

  • by jbmartin6 ( 1232050 ) on Monday May 14, 2018 @09:53AM (#56608310)
    The problem is the clients decrypt, then process any external requests for content. So if you can re-send an encrypted email with an external content request added to it, the client will happily decrypt then send the content request with your precious decrypted content. If you globally disable fetching any external content you don't have to worry. The encryption protocols all work fine, it is the behavior of the clients after the decryption that is the problem. So S/MIME would be affected too, or potentially any other encryption tool. Refusing to load any external content under any circumstances is good advice anyway.
    • by xxxJonBoyxxx ( 565205 ) on Monday May 14, 2018 @10:02AM (#56608366)
      ^^^ THIS ^^^ - PGP and SMIME are still fine. It's that dumb-ass software put secure (decrypted) and non-secure content into the same pot, and let the non-secure content broadcast the secure content out.

      This site has the actual details (and paper): https://efail.de/

      "EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago. The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker."
      • by jbmartin6 ( 1232050 ) on Monday May 14, 2018 @11:25AM (#56608982)
        The kicker is, you can't control what your correspondent does with his email client, so any encrypted messages you have sent could be compromised in this way. But that was always the case since you would rely on the recipient to safeguard the keys anyway.
        • by Mryll ( 48745 )

          Ultimately you need to depend on them to safeguard the decrypted plaintext as well from any threat in the context

        • by gweihir ( 88907 )

          Indeed. The recipient can just publish the email or send it to a 3rd party. You need to be able to trust people you send secrets to.

    • by Anonymous Coward

      In other words, disable HTML rendering in your email client, and check for other external referencing stupidity it might have. All of which shouldn't be in your client in the first place. So get a better client.

      Which again means that the problem isn't in PGP/GPG, and the "security" "researchers" are much busier drumming up hype than they're doing useful work. Which is par for the course in s'kiddie-land. But we already knew that too, of course.

      • by gweihir ( 88907 )

        I agree, the behavior of these security "researchers" is really unethical and unacceptable. My initial reaction was that with an announcement this bombastic, it will likely turn out to not be an elephant but a mouse. And look, it is. And people with a secure set-up are not even affected, only people that use fundamentally insecure software in the first place.

    • by gweihir ( 88907 )

      On a related note, this is _email_! Automatically loading anything externally is just as insane as automatically opening attachments. Have the people writing this broken email software learned absolutely nothing from the past?

  • PGP is broken now? It's only had fairly infrequent and minor issues over time. If this is broken now, then it's the final sign that anyone who thinks computers can be secured is wrong. If you want something secure, write it down in a notebook. It'll be about 100x more secure than putting it on a computer simply by not being networked. Even if someone steals and reads your notebook it's better than someone having it on their phone (or PGP, now I guess) for the ENTIRE WORLD to come along and steal. Computers

    • by Carewolf ( 581105 ) on Monday May 14, 2018 @10:16AM (#56608458) Homepage

      PGP is broken now? It's only had fairly infrequent and minor issues over time. If this is broken now, then it's the final sign that anyone who thinks computers can be secured is wrong. If you want something secure, write it down in a notebook. It'll be about 100x more secure than putting it on a computer simply by not being networked. Even if someone steals and reads your notebook it's better than someone having it on their phone (or PGP, now I guess) for the ENTIRE WORLD to come along and steal. Computers are great for games, everything else is debatable.

      PGP is not broken. The way a few bad email clients are using it is broken. If you are not using Thunderbird you are safe with PGP. While S/MIME is comprised in every email client except modern Outlook, KMail, and mutt.

      • by Jahta ( 1141213 )

        PGP is broken now? It's only had fairly infrequent and minor issues over time. If this is broken now, then it's the final sign that anyone who thinks computers can be secured is wrong. If you want something secure, write it down in a notebook. It'll be about 100x more secure than putting it on a computer simply by not being networked. Even if someone steals and reads your notebook it's better than someone having it on their phone (or PGP, now I guess) for the ENTIRE WORLD to come along and steal. Computers are great for games, everything else is debatable.

        PGP is not broken. The way a few bad email clients are using it is broken. If you are not using Thunderbird you are safe with PGP. While S/MIME is comprised in every email client except modern Outlook, KMail, and mutt.

        If you are using Thunderbird and you have disabled loading remote content in messages (which you should be doing anyway) then this issue (which relies on automatic execution of embedded remote URLs) won't affect you. HTML emails are the real problem here.

    • by gweihir ( 88907 )

      PGP is very much _not_ broken. Some wannabee mail software is badly broken in how it handles HTML, MIME and PGP integration. This is also not a surprise at all. There is a reason many of us still use mutt or elm or the like at least for encrypted email.

  • by ugen ( 93902 ) on Monday May 14, 2018 @09:58AM (#56608342)

    Yes, indeed, some advice there. Because there is some potential for bad actors to possibly decrypt some of the PGP encrypted messages, if said messages include HTML with links to 3rd party sites (which your email client must display automatically), you need to **completely disable** email encryption. Then all of your email becomes clear text and, fully readable by anyone without effort, and thus you are completely safe from that vulnerability. SMH.

    That wonderful advice is brought to you by researchers in no way sponsored by NSA or any other 3 letter agency.

    For those worried - make sure your email client does not automatically display any embedded HTML links (or, better yet, just turn off HTML formatted email). I believe this is the default for Enigmail encrypted email anyway. Use plaintext, and you are as safe as cryptography allows. (I believe Enigmail authors posted a message to that effect).

    • by PPH ( 736903 )

      which your email client must display automatically

      Must? I guess I'm in real trouble. Because I read my e-mail with elm. The standards police will be kicking in my door any minute now.

      • by ugen ( 93902 )

        To quote myself: "there is some potential for bad actors to possibly decrypt some of the PGP encrypted messages, if said messages include HTML with links to 3rd party sites (which your email client must display automatically)".

        Explanation: For bad actors to decrypt PGP encrypted messages, these messages must include HTML with links to 3rd party sites and your email client must display such links automatically.

    • you need to **completely disable** email encryption

      And there's where your reading comprehension failed.

      The recommendation is to disable automatic email decryption. Because a lot of email clients will automatically decrypt the email and then happily run the "active content" in that email (aka hit an external server to download images or other HTML-email-fun).

      So go ahead an send emails encrypted. And go ahead and decrypt your emails...manually so that you're doing it in a place that will not automatically run the HTML.

      • by ugen ( 93902 )

        This is not what I see when I read articles on the topic. For example: https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

        They suggest completely disabling or *uninstalling* tools that automatically decrypt PGP messages. There are multiple guides following this advisory that explain how to completely uninstall or disable Enigmail in email client (Thunerbird etc).

        • They suggest completely disabling or *uninstalling* tools that automatically decrypt PGP messages

          Hey look! It's exactly what I said.

          Once again, the advice is not to stop using PGP or S/MIME. It's to not automatically decrypt messages because of HTML email.

    • by gweihir ( 88907 )

      Indeed. This whole problem comes from crappy clueless implementations and crappy clueless defaults. Turning off PGP completely is entirely the wrong reaction.

  • by Xoc-S ( 645831 ) on Monday May 14, 2018 @10:02AM (#56608368)
    I'm no security expert, but allowing HTML mail to arbitrarily download embedded graphics in a mail client is just dumb. From my reading of the articles, doing that doesn't disable the problem, but keeps the information from escaping back to the malicious parties. This is a mail client problem triggering PGP to decrypt, then allowing the information to escape through embedded graphics, not a fundamental problem in PGP itself. Turning off HTML mail support at the client and just taking the text representation of the message looks like it completely defeats the hack. Tell me if I'm wrong.
    • I'm no security expert, but allowing HTML mail to arbitrarily download embedded graphics in a mail client is just dumb. From my reading of the articles, doing that doesn't disable the problem, but keeps the information from escaping back to the malicious parties. This is a mail client problem triggering PGP to decrypt, then allowing the information to escape through embedded graphics, not a fundamental problem in PGP itself. Turning off HTML mail support at the client and just taking the text representation of the message looks like it completely defeats the hack. Tell me if I'm wrong.

      As a KMail user I have the default to never download HTML content. You would be surprised how many emails rely on it, though mostly newsletter that can usually be ignored, but sometimes website-integration messages are equally crappy. In Kmail it fortunately an option to override the external content for a single email at a time, so this bug would only affect you if you did a warned against security override on an encrypted email, in which case you are asking for it, and you can't really leak more than what

      • by gweihir ( 88907 )

        And _that_ is a sane default. Do insecure things, be insecure. There is not even a story here except that apparently many makers of email software are really clueless about security.

    • by gweihir ( 88907 )

      I am a security expert and I would upgrade that to "extremely dumb" as in "completely clueless about security". And no, you are not wrong. Also, having a correct MIME parser or taking the warning about missing integrity protection seriously also works to solve this. This is a problem on the side of the mail software affected.

      Caveat: I have not looked at the finer details. I use mutt as mailer for anything encrypted with lynx as html-to-text filter and are decidedly not affected by any of this.

  • by freax ( 80371 ) on Monday May 14, 2018 @10:04AM (#56608380) Homepage

    From https://lists.gnupg.org/piperm... [gnupg.org] :

    > 1. This paper is misnamed.
    Indeed
    > 2. This attack targets buggy email clients.
    Exactly
    > 3. The authors made a list of buggy email clients.
    Well said.

    The MUA should not allow *any* utilization of HTTP when rendering a HTML E-mail. Any form of doing that is a serious mistake. Not only because of what is reported here, but also because that way *that* use of HTTP will allow spammers to identify when you open the E-mail. They use that to know if your E-mail adress is still alive.

    Serious MUAs don't do this without user consent. Most HTML components even have a explicit offline mode exactly for that reason. Meaning that they won't automatically go online and fetch things like the src url of an IMG.

    Any MUA that does this without user consent is completely and utterly wrong. Especially in a security sensitive context. This is something most MUA developers know about and if not, should know.

  • Comment removed based on user account deletion
    • I also think the EFF is a bit paranoid in issuing a 'full stop' to using PGP until this is fixed. At worst, you should send a link to the PGP document you'd like the user to read (in plaintext of course.)

      The EFF said no such thing; they recommended uninstalling or disabling widgets that *automatically* decrypt in the MUA.

  • temporarily stop sending and especially reading PGP-encrypted email

    Sounds like just what the spies would like you to do to gain temporary access to most communications that used to be encrypted, while disabling some of them...

  • by 93 Escort Wagon ( 326346 ) on Monday May 14, 2018 @10:15AM (#56608446)

    Seriously - there’s no good reason for an email which is important enough to encrypt to include html or other “rich formatting” anyway. Just turn it all off.

    • by Anonymous Coward

      email which is important enough to encrypt

      That would be all email. Your local burglar doesn't need to know that you just told your wife you'll be home late. Your insurance company doesn't need to know you want your wife to pick up some beer on the way home. Your ad company doesn't need to know that you think Disaster Area is the hoopiest band ever, or that you just wished your father's brother's nephew's cousin's former roommate a happy birthday. Etc. There aren't any emails that don't need encryption.

      Exce

    • by Kjella ( 173770 )

      Seriously - thereâ(TM)s no good reason for an email which is important enough to encrypt to include html or other âoerich formattingâ anyway. Just turn it all off.

      While that's true it's been a long time since I saw an exploit in actual HTML rendering code that didn't involve Javascript or some other active component. The problem is that email inherited the browser's "let's go out and gather all the bits and pieces" logic instead of being inline only, like if you could send text/html, text/css, image/jpeg as a MIME message and it'd render that HTML code styled using that CSS displaying that image in an <img> tag that would be fine for all but the most paranoid a

  • >Immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email!
  • My understanding of this is that it applies only to HTML email - if you are using S/MIME and PGP/GnuPG with text-only emails, you should be fine. So why are EFF calling for disabling all PGP and GnuPG?

    • by Anonymous Coward

      The problem comes if you're using a client that can render HTML emails. The emails you've sent in the past might be plaintext, and you might just receive plaintext emails, but if HTML rendering is turned on, you could end up rendering an email an attacker sends you. So, if you just receive plaintext emails, just disable html rendering and you're fine.

    • by gweihir ( 88907 )

      The thing is that apparently most email software these days is badly broken and will not only gladly load external includes in HTML email, but also mess up the MIME parsing and ignore warnings about missing integrity protection. I feel pretty smug now that I am on mutt (and will remain on it as primary MUA), even though I had to add lynx as an HTML-to-text filter because some people feel it is acceptable to send HTML-only email. If this were just private email, I would have happily ignored these, but unfort

  • by Anonymous Coward

    This vulnerability affects those who have no idea how to use encrypted emails. HTML is not to be used in encrypted emails, neither is external references. In fact anyone who is versed in the secure use of email has any and all external references disabled. I do not care for your fancy font or for the background wall paper, If you refuse to attach any pertinent images directly to the email then they are not worth my time. Email is meant to be used as a direct method of communication, only the relevant portio

  • by Anonymous Coward

    Either some didn't read the entire article or don't understand the need for authenticated encryption.

    The issue the EFF is concerned about is that the OpenPGP spec doesn't mandate authenticated encryption and doesn't specify what to do if authentication fails.

    The authentication tag could be as simple as the HMAC of the encrypted message using the symmetric key as the HMAC "secret". Attackers can't create provide a modified message that could be authenticated without knowing the shared key.

    Have the minimum AE

    • by gweihir ( 88907 )

      And that is just it. This thing is way blown out of proportion and it is attributing blame to the wrong tool (and people).

  • And really has not much to do with PGP/GnuPG either, it is about the insane HTML integration in email software that can leak data if external resources are loaded automatically and, apparently, your email is decrypted automatically. If you have either of these, your security has gone out of the window long before the present issue was discovered. Also seems to require a broken MIME parser. Hence this is an issue with mailers, not with PGP/GnuPG (or rather the OpenPGP format). Pretty much the same screw-up b

The world is no nursery. - Sigmund Freud

Working...