Menu

#984 Leak encrypted emails by replying to benign looking mails

fixed
nobody
None
2.0.10
Major
All
2.0.11
nobody
2019-07-03
2019-04-30
No

Related to bug #983 (partially signed), a variant of leaking the plaintext of PGP encrypted messages by replying to a benign looking email still works with the PGP/Inline wrapping trick. Note that multiple (hundreds) of encrypted mail can be wrapped and thereby leaked at once. Also, every captured PGP/MIME message can be "downgraded" to be interpreted in the context of a PGP/Inline message.

Related

Bugs: #984
Bugs: #985
Bugs: #995
Forum: Enigmail no longer displays unencrypted part of message

Discussion

  • Jens Müller

    Jens Müller - 2019-04-30

    Please find attached a screenshot which depicts the issue. There is a warning in the reply in current TB-versions but I doubt it may be enough.

     
  • Patrick Brunschwig

    • status: open --> wont-fix
     
  • Patrick Brunschwig

    Excuse me, but this is exactly the issue TBE-01-005 reported by Cure 53 in their pentest report. The solution to display a warning message was approved by Cure 53 as a good enough solution. I won't do more than that.

     
  • Jens Müller

    Jens Müller - 2019-05-02

    Out of curiosity: did TBE-01-005 contain actual MIME-wrapping, with the fist MIME part being HTML, hiding the second (encrypted) MIME part -- or was it a single message: ATTACKER'S_TEXT || PGP_ASCII_ARMOR with the decrypted text still being shown?

    Of course, it's up to the devs to judge if a warning is good enough.

     
  • Patrick Brunschwig

    TBE-01-005 is about both MIME wrapping and inline PGP. The put the two distinct problems into the same pot.

     
  • Jens Müller

    Jens Müller - 2019-05-02

    Forgot to attach the PoC email (see attached). Also see initial "Decryption oracle PoC 1: Leaking plaintext through reply/forward" report submitted on 2017-11-21 as https://bugzilla.mozilla.org/show_bug.cgi?id=1419417

    I did a quick re-test and could not get rid of the red bar.
    However, still not convinced if this is the perfect long-term solution :/

     
  • Patrick Brunschwig

    • status: wont-fix --> fixed
    • Fixed in version: --- --> 2.1
     
  • Patrick Brunschwig

    I decided to go for a more radical solution. If a message contains a mixture of inline-PGP and plaintext parts, then Enigmail will replace the complete visible message with the decrypted/verified inline-PGP part and any unencrypted text that follows the inline-PGP part. Any text before the inline-PGP part will be silently dropped.

    Because the displayed HTML structure is completely replaced with a plaintext HTML structure generated by Enigmail, it is no longer possible to hide encrypted messages via inline-PGP.

     
  • Patrick Brunschwig

    • Fixed in version: 2.1 --> 2.0.11
     
  • Nicki

    Nicki - 2019-07-02

    I think the "more radical solution" breaks enigmail for everyone who has to communicate with people that don't use encryption/signing.
    It may fix the problem stated in this bug report, but it creates a whole lot of usability issues in the real world.

     
  • Jens Müller

    Jens Müller - 2019-07-02

    @Nicki: Can you give an example email that is broken by the fix? I could imagine some (partially encrypted) emails generated by KMail in a certain config that could be affected.

    @Patrick: Even though it does not matter any more -- in the pre-fix version, an attacker could simply change the order of the MIME parts in malicious-email.eml to completely get rid of the warning message when replying, while -- using CSS tricks -- the encrypted part could still be hidden.

     
    • Patrick Brunschwig

      @Patrick: Even though it does not matter any more -- in the pre-fix version, an attacker could simply change the order of the MIME parts in malicious-email.eml to completely get rid of the warning message when replying, while -- using CSS tricks -- the encrypted part could still be hidden.

      Sure, you don't tell me no news. That's why messages are either not decrypted, or -- if decrypted -- the decrypted message replaces the entire original message. There is nothing in between.

      I'm thinking about displaying a message in the header bar, which is not part of the message and disabling auto-decryption for partially encrypted (or signed) messages. That's probably less confusing for users, even though I'm sure I'll get complaints about that solution too ...

       
      • Nicki

        Nicki - 2019-07-03

        I'm thinking about displaying a message in the header bar, which is not part of the message and disabling auto-decryption for partially encrypted (or signed) messages. That's probably less confusing for users, even though I'm sure I'll get complaints about that solution too ...

        The old behaviour was to display a warning bar that informed me that only parts of the message could be verified and that was o.k. with me.
        If I could enabled the old behaviour I would be happy... :)

         

        Last edit: Nicki 2019-07-03
        • Patrick Brunschwig

          Am 3. Juli 2019 16:31:05 MESZ schrieb Nicki alie2n@users.sourceforge.net:

          I'm thinking about displaying a message in the header bar, which is
          not part of the message and disabling auto-decryption for partially
          encrypted (or signed) messages. That's probably less confusing for
          users, even though I'm sure I'll get complaints about that solution too
          ...
          The old behaviour was to display a warning bar that informed me that
          only parts of the message could be verified and that was o.k. with me.
          If I could enabled the old behaviour I would be happy... :)


          [bugs:#984] Leak encrypted emails by replying to benign looking
          mails

          Status: fixed
          Created: Tue Apr 30, 2019 04:19 PM UTC by Jens Müller
          Last Updated: Wed Jul 03, 2019 02:28 PM UTC
          Owner: nobody

          Related to bug #983 (partially signed), a variant of leaking the
          plaintext of PGP encrypted messages by replying to a benign looking
          email still works with the PGP/Inline wrapping trick. Note that
          multiple (hundreds) of encrypted mail can be wrapped and thereby leaked
          at once. Also, every captured PGP/MIME message can be "downgraded" to
          be interpreted in the context of a PGP/Inline message.


          Sent from sourceforge.net because patrick@enigmail.net is subscribed to
          https://sourceforge.net/p/enigmail/bugs/

          To unsubscribe from further messages, a project admin can change
          settings at https://sourceforge.net/p/enigmail/admin/bugs/options. Or,
          if this is a mailing list, you can unsubscribe from the mailing list.

          The old behavior is definitely not allowed anymore. It can be abused in several ways to trick you and to unintentionally reveal sensitive information.

           

          Related

          Bugs: #984

        • Patrick Brunschwig

          To be quite clear: we can discuss about improving the current behavior, but you will not - under no circumstances - get back the old behavior that displayed a mix of decrypted and plain text parts.

          A warning is simply not sufficient because you cannot reliably tell which text part was encrypted and which not.

           
    • Nicki

      Nicki - 2019-07-03

      @Nicki: Can you give an example email that is broken by the fix? I could imagine some (partially encrypted) emails generated by KMail in a certain config that could be affected.

      That is quite easy. Any mail that contains signed and unsigned parts causes erratic behaviour.
      If I send an signed mail to my customer and then I get an answer back (text above full quote) my inline pgp singed part is untouched and is verified by enigmail.
      When I reply to this mail I only get my send mail in the reply window and the text of my customer is silently dropped. And I consider that a broken behaviour.

       

      Last edit: Nicki 2019-07-03

Log in to post a comment.