An Official Statement on New Claimed Vulnerabilities

BM-2cUkXeXVYt89UJmbSa7LPmNLTTA6K3XPUD
May 15 11:31 [raw]

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html Over the last few hours, Werner, Andre, and I have been working on an official statement about the Efail paper. Without further ado, here it is. An Official Statement on New Claimed Vulnerabilities == ======== ========= == === ======= =============== by the GnuPG and Gpg4Win teams (This statement is only about the susceptibility of OpenPGP, GnuPG, and Gpg4Win. It does not cover S/MIME.) Recently some security researchers published a paper named "Efail: Breaking S/MIME and OpenPGP Encryption using Exfiltration Channels". The EFF has gone so far as to recommend immediately uninstalling Enigmail. We have three things to say, and then we're going to show you why we're right. 1. This paper is misnamed. 2. This attack targets buggy email clients. 3. The authors made a list of buggy email clients. In 1999 we realized OpenPGP's symmetric cipher mode (a variant of cipher feedback) had a weakness: in some cases an attacker could modify text. As Werner Koch, the founder of GnuPG, put it: "[Phil Zimmermann] and Jon Callas asked me to attend the AES conference in Rome to discuss problems with the CFB mode which were on the horizon. That discussion was in March 1999 and PGP and GnuPG implemented a first version [of our countermeasure] about a month later. According to GnuPG's NEWS file, [our countermeasure] went live in Summer 2000." The countermeasure Werner mentions is called a Modification Detection Code, or MDC. It's been a standard part of GnuPG for almost eighteen years. For almost all that time, any message which does not have an MDC attached has caused GnuPG to throw up big, clear, and obvious warning messages. They look something like this: gpg: encrypted with 256-bit ECDH key, ID 7F3B7ED4319BCCA8, created 2017-01-01 "Werner Koch <wk at gnupg.org>" [GNUPG:] BEGIN_DECRYPTION [GNUPG:] DECRYPTION_INFO 0 7 [GNUPG:] PLAINTEXT 62 1526109594 [GNUPG:] PLAINTEXT_LENGTH 69 There is more to life than increasing its speed. -- Mahatma Gandhi gpg: WARNING: message was not integrity protected [GNUPG:] DECRYPTION_FAILED [GNUPG:] END_DECRYPTION GnuPG also throws large warning messages if an MDC indicates a message has been modified. In both cases, if your email client respects this warning and does the right thing -- namely, not showing you the email -- then you are completely protected from the Efail attack, as it's just a modern spin on something we started defending against almost twenty years ago. If you're worried about the Efail attack, upgrade to the latest version of GnuPG and check with your email plugin vendor to see if they handle MDC errors correctly. Most do. You might be vulnerable if you're running an ancient version of GnuPG (the 1.0 series; the current is 2.2), or if your email plugin doesn't handle GnuPG's warning correctly. You might also have had some exposure in the past if back then you used a pre-2000 version of GnuPG, and/or an email plugin which didn't handle the warning correctly. We made three statements about the Efail attack at the beginning. We're going to repeat them here and give a little explanation. Now that we've explained the situation, we're confident you'll concur in our judgment. 1. This paper is misnamed. It's not an attack on OpenPGP. It's an attack on broken email clients that ignore GnuPG's warnings and do silly things after being warned. 2. This attack targets buggy email clients. Correct use of the MDC completely prevents this attack. GnuPG has had MDC support since the summer of 2000. 3. The authors made a list of buggy email clients. It's worth looking over their list of email clients (found at the very end) to see if yours is vulnerable. But be careful, because it may not be accurate -- for example, Mailpile says they're not vulnerable, but the paper indicates Mailpile has some susceptibility. The authors have done the community a good service by cataloguing buggy email email clients. We're grateful to them for that. We do wish, though, this thing had been handled with a little less hype. A whole lot of people got scared, and over very little.

[chan] general
BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r

Subject Last Count
CC8767E12F2423C78CFDA397720CF4A9 Aug 17 16:31 1
C07CEDA0F279A1CBEA8FDB8FD6907DFC Aug 17 16:13 1
0591487CDD96037B44FB93CC639B9456 Aug 16 19:24 1
double down -- UK Column News Aug 16 00:07 1
560C503734039BC1B748A353C4A2C94A Aug 15 15:42 1
54624370B2EAF49AC65BD7B575A20934 Aug 15 15:12 1
A641BC21CCDA3809665E8DB422C32607 Aug 15 15:12 1
UK Column News - 13th August 2018 Aug 15 07:44 2
UK Column News - 15th August 2018 Aug 15 07:44 1
UK Column News - 16th August 2018 Aug 15 07:44 1
08B3115B5AD1EBDC4A15FABEA12590C6 Aug 15 07:44 1
FEE42368E2751EA5A5697DBDD3462AD8 Aug 15 07:44 1
UK Column News - 14th August 2018 Aug 15 07:38 1
decrypted some of the crapflood spam Aug 14 14:46 1
https://www.justice.gov/file/1080281/download Aug 14 13:10 2
huowb Aug 13 21:27 1
sldy Aug 13 21:27 1
uvjrk Aug 13 21:27 1
owhdbgk Aug 13 21:27 1
bkqi Aug 13 21:27 1
yyq Aug 13 21:27 1
tbhas Aug 13 21:27 1
mzm Aug 13 21:27 1
eanxqgm Aug 13 21:27 1
cvjcu Aug 13 21:27 1
hdrtq Aug 13 21:27 1
wxe Aug 13 21:27 1
rxllbhh Aug 13 21:27 1
zdodp Aug 13 21:27 1
crcumoi Aug 13 21:27 1
ojkqa Aug 13 21:27 1
khscyti Aug 13 21:26 1
fllrcu Aug 13 21:26 1
dwejgo Aug 13 21:26 1
hhu Aug 13 21:26 1
jox Aug 13 21:26 1
reswg Aug 13 21:26 1
odzwdn Aug 13 21:26 1
ajdk Aug 13 21:26 1
rgp Aug 13 21:26 1
rzxjgre Aug 13 21:26 1
fsktumz Aug 13 21:26 1
qycybu Aug 13 21:26 1
sgthuek Aug 13 21:26 1
xgpuinq Aug 13 21:26 1
czwazg Aug 13 21:26 1
inyu Aug 13 21:26 1
fdpg Aug 13 21:26 1
uhkmxr Aug 13 21:26 1
fzo Aug 13 21:26 1
egqpdi Aug 13 21:26 1
zxpc Aug 13 21:26 1
vqnzzr Aug 13 21:26 1
pcqd Aug 13 21:26 1
nnb Aug 13 21:26 1
iiivwjs Aug 13 21:26 1
ertif Aug 13 21:26 1
ewyog Aug 13 21:26 1
phxa Aug 13 21:26 1
vhynjlh Aug 13 21:25 1
qrmz Aug 13 21:25 1
rdo Aug 13 21:25 1
qxyyle Aug 13 21:25 1
nsmo Aug 13 21:25 1
qsnewik Aug 13 21:25 1
aso Aug 13 21:25 1
ndjagg Aug 13 21:25 1
opci Aug 13 21:23 1
ckijqrm Aug 13 21:21 1
biwmvg Aug 13 21:20 1
fbj Aug 13 21:20 1
kleigta Aug 13 21:20 1
wofmd Aug 13 21:20 1
mlnmrm Aug 13 21:20 1
tkh Aug 13 21:20 1
ycikif Aug 13 21:20 1
chy Aug 13 21:20 1
hobrbm Aug 13 21:20 1
onnghr Aug 13 21:20 1
mzknth Aug 13 21:20 1
oxab Aug 13 21:20 1
fdxmjhy Aug 13 21:20 1
uxsltle Aug 13 21:20 1
jzdy Aug 13 21:20 1
taxzlpy Aug 13 21:20 1
ktgeab Aug 13 21:20 1
eganzh Aug 13 21:20 1
tbiij Aug 13 21:20 1
gsd Aug 13 21:20 1
shtt Aug 13 21:20 1
rzy Aug 13 21:20 1
mcpryvd Aug 13 21:20 1
nhitwh Aug 13 21:19 1
ikpwpka Aug 13 21:19 1
ncfrgul Aug 13 21:19 1
wzyh Aug 13 21:19 1
oouyniy Aug 13 21:19 1
vntexgy Aug 13 21:13 1
otovrni Aug 13 21:13 1
qprndcl Aug 13 21:13 1