#226 Disabled "Automatic Decrypt/Verify Messages" does decrypt PGP/MIME encrypted messages

fixed
None
1.6.0
Major
24.2.0
All
1.8.0
2014-09-15
2013-12-15
No

When deselecting the menu setting "Automatic Decrypt/Verify Messages", PGP/MIME encrypted and encrypted/signed messages are still automatically decrypted. Inline PGP messages are handled correctly and displayed as if no Enigmail was installed.

For PGP/MIME signed messages a hint is displayed: "Possibly PGP/MIME encrypted or signed message; click Decrypt button to verify".

Enigmail should behave like this also for encrypted or encrypted/signed PGP/MIME messages.

Discussion

  • Patrick Brunschwig

     
  • Patrick Brunschwig

    It is not quite easy to implement this in a way that would work reliably. While you can easily make the backend observe the setting as such, you'll have difficulties to implement a function to manually perform the decryption. The reason is that decryption is simply called while Thunderbird is loading the message, you have no other information than the fact that the particular message is loaded...

     
  • Alan Eliasen

    Alan Eliasen - 2014-08-23

    This is one of the most important bugs in Enigmail, and somehow it's labeled "minor" severity. This is, frankly, appalling. It is one of the primary reasons that I warn people against the use of PGP/MIME in Enigmail in my GPG guide:

    https://futureboy.us/pgp.html#AttachmentsInEnigmail

    This bug is the primary reason that I'm considering warning people from using Enigmail entirely. If the developers consider this a minor bug, then they simply have not been paying attention.

    But you don't need to hear it from me. You should listen to some of the CREATORS of the RSA algorithm who explicitly state in one of the most widely-circulated academic papers about GPG that Enigmail itself, and its propensity to decrypt PGP/MIME messages without user input, is the main reason that they can completely recover your private key using nothing but a microphone near your computer, or by touching your skin as you receive an encrypted message:

    http://www.tau.ac.il/~tromer/acoustic/

    See Q11 where they call out Enigmail specifically as the best way to compromise someone's entire private key because of THIS bug!

    It is absolutely wrong and broken to ever decrypt a message without specific user intervention. I could go on more, but when the authors of the RSA algorithm tell the world that this Enigmail bug is how they can totally own your GPG private key, you MUST MUST make this a major priority to fix.

    Enigmail should be considered broken and actively dangerous to your privacy and security of your communications until this is fixed.

     
  • Olav Seyfarth

    Olav Seyfarth - 2014-08-23

    Sorry, but no. This is NOT an enigmail bug. Even IF a user opts to decrypt (to see what the message is about), he/she would be vulnerable. Apart from that, please reread the paper you cited. Enigmail uses GnuPG, and GnuPG was fixed when the paper was released:

    Q9: How vulnerable is GnuPG now?
    We have disclosed our attack to GnuPG developers under CVE-2013-4576, suggested suitable countermeasures, and worked with the developers to test them. New versions of GnuPG 1.x and of libgcrypt (which underlies GnuPG 2.x), containing these countermeasures and resistant to our current key-extraction attack, were released concurrently with the first public posting of these results. Some of the effects we found (including RSA key distinguishability) remain present.

    Yes, I also read the last sentence. Still this does not make the bug a major one.

     
  • Ludwig Hügelschäfer

    First of all: Enigmail does not do cryptographic operations! It is calling gnupg to do the crypto stuff. The attack you are referring to is known since months and has been fixed in the gnupg 1.4 series by release of 1.4.16 in december 2013. See this post: http://lists.gnupg.org/pipermail/gnupg-users/2013-December/048500.html Gnupg 2.0.x series was and is NOT vulnerable to this attack. So please do yourself a favor and do not mix responsibility. It is gnupgs responsibility to cover side-channel attacks. And it is Enigmails responsibility to respect preference settings. You may argue that the severity of this bug is set wrong, but DO NOT TELL that Enigmail exposes your private key! This is simply plain wrong.

     
  • Alan Eliasen

    Alan Eliasen - 2014-08-23

    From the responses from Enigmail developers, I am even more concerned that they absolutely do not understand the fundamentals of writing secure code. This further reinforces my beliefs that Enigmail is insecure and should not be used.

    The respondents above completely evade the fundamental problem that any program decrypting messages without explicit user affirmation is the absolutely wrong thing to do. I can't imagine any mindset that understands cryptography that could possibly think otherwise. To be sure, if you think that automatic and silent decryption of any message is ever right, YOU HAVE FAILED. Let me repeat that. If you think that automatic and silent decryption of any message is ever right, YOU HAVE FAILED.

    They pretend that since they "solved" one side-channel attack on automatically-decrypted messages that no other side-channel attacks are possible. This is, quite literally, the definition of incompetence in cryptography.

    The fact is that Enigmail still automatically decrypts messages (possibly very many messages, perhaps hundreds or thousands in a single e-mail) with no user input, when the message is received, allowing it to be exploited. Anyone with competence in cryptography will immediately see that this is a major flaw. RSA proved that.

    To the people telling me that this isn't a bug, please send your comments to Rivest, Adel, and Shamir. Or the authors of the paper:

    http://www.tau.ac.il/~tromer/acoustic/

    If you have told me here that automatic silent decryption of any message is not a major security hole, then I simply have perfect confirmation that you cannot be trusted with respect to cryptographic ability.

     
  • Patrick Brunschwig

    If you think the severity is wrong, then go ahead and change it. The reporter set it to minor and nobody changed it so far.

    This bug is about automatically decrypting a message that a user wants to view (i.e. the message you clicked on). If you don't want automatic decryption, the best way is to set up Enigmail and GnuPG to NOT remember the passphrase. That's far better than bashing on Enigmail for something we can't fix because the Thunderbird API doesn't allow us to.

    PS. The acoustic attack you refer to has been addressed by GnuPG; recent versions of GnuPG are not affected by this attack.

     
  • Alan Eliasen

    Alan Eliasen - 2014-08-23

    Patrick,

    Your message about "If you think the severity is wrong, then go ahead and change it. The reporter set it to minor and nobody changed it so far." is appalling. It proves a lot about Enigmail developers. Every person in the world who develops GPG should have changed their life drastically when they saw http://www.tau.ac.il/~tromer/acoustic/ . But yet you ignored it.

    You don't understand how Enigmail works. Even if I turn automatic decryption off, then Enigmail automatically decrypts a message AS SOON AS I RECIEVE IT. I do not have to view it, nor decrypt it. Enigmail does decryption on receipt if it's in PGP/MIME format. This makes every Enigmail user vulnerable to the same side-channel attacks that you pretend don't exist any more because the simplest form was slightly mitigated.

    This is, obviously, horrendous, but you don't acknowledge it. You are wrong not to acknowledge it. I guess if you think that you're better than the RSA developers who demonstrated this bug to the world, then you can continue. It is a drastic, horrible bug and it allows anyone in the world to send you PGP/MIME messages and force you to decrypt very many messages (without user authorization) and steal your secret key. If you don't think that further side-channel attacks are possible, please shut down Enigmail.

     
  • Alan Eliasen

    Alan Eliasen - 2014-08-23
    • Severity: Minor --> Major
     
  • Patrick Brunschwig

    Even if I turn automatic decryption off, then Enigmail automatically decrypts a message AS SOON AS I RECIEVE IT.

    I have taken EVERY possible measure against this that are possible. This even includes changing Thunderbird. I know that there still a few situations where this can happen. But if I fix these, then you would be satisified: Enigmail would not decrypt any PGP/MIME message anymore - not on request, not automatically, just NOT AT ALL. Would that be better for you?

     
  • Olav Seyfarth

    Olav Seyfarth - 2014-08-23

    Alan, you made you point clear. I also would expect to be able to control decryption if that were my use case. But people have different needs. Many just want to be able to communicate with their friends and not be "disturbed" in any way. These people are unlikely to be overheard by a side channel attack. People that need to worry should not cache their passprhase at all, that's what Patrick said.

    We also have made our point. Fact is: there's nothing Enigmail can do since it is an AddOn to Thunderbird and Thunderbird does not provide the means that would be necessary to implement it as an AddOn. OT: My feelings are toward Mozilla: they claim to protect users but don't implement opportunistic S/MIME nor OpenPGP in the product itself.

    Side note: you state (towards Patrick): "You don't understand how Enigmail works." OK, so you know? He happens to be the lead developer. But maybe that's not what you meant to say.

    Another side note: I would be interested what crypto experts like Bruce Schneier, the GnuPG authors or the authors of papers of side channel attacks (there are more than "just" the acoustic, yes we do know of them) have to say. Go ahead: ask them to post here. But please stop ranting, stay to facts, and mouth them constructively.

     
  • Alan Eliasen

    Alan Eliasen - 2014-08-23

    Patrick,
    Your response is nonsensical. I'm starting to be baffled by your responses. Enigmail still decrypts messages on receipt even if I've told it not to. If you can't make Enigmail only decrypt repsonses on explicit user input, then you should not try at all. That's obvious. If there are Thunderbird bugs blocking the right thing to do, let's fix them. But don't pretend that automatically and silently decrypting is ever the right thing to do.

     
  • Alan Eliasen

    Alan Eliasen - 2014-08-23

    nursoda: It's never possible to prove that an attack can't work. It's only possible to prove that an attack can work. I did the following, demonstrating a literal attack from the authors of RSA that if you can force a user to automatically decrypt a series of messages, then they can obtain your entire public key and thus all of your past and future communications.

    The authors of RSA demonstrated this, and called out this bug specifically in Enigmail that made their attacks possible and feasible. I quoted this. If this is "ranting," then forevermore shall i rant.

     
  • Alan Eliasen

    Alan Eliasen - 2014-08-23

    If there is nothing that can be done in Enigmail that will prevent it from automatically decrypting e-mails without user input, then can someone please state so specifically? If that's the case, I will calmly present the case that Enigmail can not be used, and I will encourage others to use GPG directly from the command-line. I'm serious about this; I can't recommend tools that physically cannot be made safe.

     
  • Alan Eliasen

    Alan Eliasen - 2014-08-23

    I know that there are programming languages and environments that physically cannot be made safe. Java and JavaScript can be considered insecure if you use strings, as strings are immutable after construction, and you cannot, say, zero out the bytes in a string, removing the password or secret key. Does Enigmail mitigate this? If so, how?

     
  • Patrick Brunschwig

    Fact is this: Thunderbird does not provide anything that I would call an API for decrypting PGP/MIME messages. All it does is to provide a point where a configurable function can be called if a message is detected with a PGP/MIME content-type. This function receives the encrypted message source, and no other information.

    It is therefore not possible to know why the function is called - is the message going to be displayed or added to the search database or any other reason?

    The funcionality in Thunderbird that does this function call is called libmime and stems from Netscape(!) times. It's extremely complicated and subject to be replaced in Thunderbird for many years. There is work going on, but I cannot predict when a replacement for libmime is finished. As long as this is the case, I can only implement workarounds that try to detect by various means if the message is going to be displayed.

    I order to manually decrypt PGP/MIME messages, you would have to reload it and tell Enigmail to decrypt the message. But I did not yet find any possibility to differentiate between "load the message" and "load the message" ...

    But I'm not yet hopeless: while writing these lines, a new idea came to my mind how to fix this.

    Hint for myself: send URI to mimeDecrypt.js

     
  • Olav Seyfarth

    Olav Seyfarth - 2014-08-23

    Alan, you cited an article that itself states that they addressed those who could possibly fix and did so. So, from that article, there's no pending issue for any software using GnuPG. I did not tell that there is no possibility to attack GnuPG or Enigmail. But Enigmail does not handle crypto itself for a reason. And we strive to only call GnuPG when necessary/wanted.

    What you seem to miss is that many users don't care about it being JavaScript or being called without their consent. They rather have it completely transparent to them while still messages hosted on the IMAP server cannot be read by that provider. Nothing more. No attack scenario in mind. But still - in our spare time - we try to make sure Enigmail operates as secure as a security system should do.

    Remeber: It's a community project. Submit patches, not requests. Or spend/organise money for some developer that fixes things for you.

    If you have different needs, then please do use an air-gapped system and command line. But my personal focus is usable cryptography, not 100% attack proof systems. And yes, using any software always is a tradeoff between security and comfort. You did compile your compiler yourself, which which you compiled your OS and applications that you previously verified, didn't you ;-)

     
  • Patrick Brunschwig

    • status: open --> accepted
    • assigned_to: Patrick Brunschwig
     
  • Patrick Brunschwig

    I think I found a quite simple but reliable way to make decryption only work on request.

     
  • Patrick Brunschwig

    • status: accepted --> fixed
    • Fixed in version: --- --> 1.8.0
     
  • Patrick Brunschwig

    Fixed on master. The way it works is that you have to click "Decrypt" in order to decrypt the message. If you view other messages and then come back to the last message where you clicked "Decrypt", the message will be automatically decrypted.

    Using Forward, Edit As New, Reply / Reply to all, Edit (from drafts), will always trigger be automatic decryption.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks