Spoofable signatures: a message with a pgp/mime subpart is indistinguishable...
OpenPGP addon for Mozilla Thunderbird
Brought to you by:
pbrunschwig
Menu
▾
▴
#362 Spoofable signatures: a message with a pgp/mime subpart is indistinguishable from a message that is signed as a whole
consider a message structured like this:
A└┬╴multipart/mixed 9775 bytes B ├─╴text/plain 1627 bytes C └┬╴message/rfc822 test 3783 bytes D └┬╴multipart/signed 3511 bytes E ├─╴text/plain 1391 bytes F └─╴application/pgp-signature attachment [signature.asc] 1027 bytes
Enigmail reports this message as "signed and verified" if it posesses the key held by the signer of F.
however, part B is not part of the signature, and there is no way for the user to tell which part is signed and which is not. This provides an easy mechanism for message spoofing: attach a previously-signed message to your e-mail.
note that mailman deals with PGP/MIME-signed messages by appending its mail footer like so:
G└┬╴multipart/mixed 6443 bytes H ├┬╴multipart/signed 2205 bytes I │├─╴text/plain 632 bytes J │└─╴application/pgp-signature attachment [signature.asc] 1027 bytes K └─╴text/plain inline 176 bytes
So these sort of messages are not unusual :(
This has been discussed for a few years on the mailing list:
http://thread.gmane.org/gmane.comp.mozilla.enigmail.general/17707/focus=17924
most recently: http://thread.gmane.org/gmane.comp.mozilla.enigmail.general/19229
Here is a proposed solution (thanks to Eduard Christian Dumitrescu for the initial suggestion):
- if some part of the message is signed, and enigmail decides to show the message verification banner, it should only display the signed parts (hiding the unsigned parts).
This can be combined with more nuance, if desired. (e.g. providing a way to show the entire message without the verification banner if the user wants to see the whole thing).
Note that for S/MIME, thunderbird refuses to show a signed indication if only a sub-part of the message is signed -- it only shows S/MIME signature verification if the top-level part of the message is the signed part.
Part of the solution is in Bug 342. However, we should really indicate which part of the message is signed and which part(s) not.
The only way to fix this properly is by displaying a MIME tree any marking which parts were signed by whom.
On Sat 2015-01-31 12:03:36 -0500, Patrick Brunschwig wrote:
it sounds like you're proposing trying to fix an even larger problem
than the one raised by ticket #362.
362 raises the problem of a message that has a single subtree that is
signed, but other parts that are not signed. (it does not deal with
messages with multiple signed subtrees)
A targeted fix to address #362 (and ignoring messages with multiple
signed subtrees) would be as Eduard suggested: when showing the enigmail
"message signed" header, only display the parts of the subtree that
are signed, and don't display any other part of the message body.
The header could include a button that says "show entire message", which
would remove the "message signed" header, and show all the parts
together.
Your proposal is impossible to implement in Thunderbird.
On Tue 2015-02-03 05:23:29 -0500, Patrick Brunschwig wrote:
Is it impossible to implement because pruning the MIME tree of a given
message is impossible? Is this something we should raise with
Thunderbird upstream? I'm happy to raise it, but i'm not sure how to
characterize the problem clearly.
FWIW: The Debian bug tracking systems also sends messages that are partly signed, yet get displayed as signed. Grab https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;mbox=yes;bug=341935 for an example. (The key of mine originally used for signing has been retired of old age and revoked since, which is displayed duly and of no concern here.)
Fixed in v1.9.9 (as part of the Cure53 fixes)