Enigmail not indicating unsigned attachments of PGP/Inline Messages
OpenPGP addon for Mozilla Thunderbird
Brought to you by:
pbrunschwig
Menu
▾
▴
Enigmail does not complain if signed messages do have a valid PGP/Inline Signature for the text-body but also an unsigned attachment.
It is very straightforward to test and reproduce this with unsigned files and pubkeys as attachments to PGP/Inline Messages if they are unencrypted. (In Thunderbird just copy and paste the plaintext Signature/Text-Block into a new message and add the compromised attachment)
Enigmail won't indicate about anything except the message being valid!
I did not find a related bug report or posting by using search engines but can not really believe to be the first Enigmail-User noticing this, am I?
If I didn't get everything completely wrong this easily allows attackers to add or manipulate attachments of signed unencrypted (might also work for encrypted) PGP/Inline Messages by replacing them with unsigned, manipulated versions.
As Enigmails User-Interface does not give any hint about the unsigned attachment the only way to notice such a potentially compromised attachment is by looking into the message source. (Thunderbird: ctrl+u)
As most average people don't routinely do this and they also don't check signature-timestamps of incoming messages for plausibility an attacker may also resend any older signed copy of PGP/Inline Messages that make sense with the compromised attachment as well.
In a scenario where an Enigmail User did not sign a secure, specific Key Transition Statement but a very general message like "I have a new PGP-key, please don't use the superseded one anymore. This message is signed with the superseded key for Authentication." an attacker getting a copy of that message can resend it with a compromised key.
Incautious contacts might just import and trust it if they had verified and signed the old keys fingerprint and don't demand a certificate on the key itself as they trust in the attachment being signed. (Would be a Man-in-the-middle attack!)
By not using PGP/Inline, signing only encrypted messages (if possible) in combination with other good practices users can protect their own signatures from misuse but Enigmail will still advice them to trust attechments that are not signed as described above.
If I actually did get anything wrong here regarding the security impact please correct me.
Anyway I personally think there should be an (eye-catching) warning like there already is for partially signed Text-Body-Messages. (A line hidden in the Security-Info would be better than the situation now but a visible notice won't break compatibility with anything.)
I did not yet file a Bug Report but of course feel free to do that yourself if you can confirm this.
As far as I remember there should be such an indication. If it's not shown, then that would be a bug.
I now created such a simple message for an arbitrary signature Patrick once send over the Mailing-List:
http://s000.tinyupload.com/index.php?file_id=00699258834799362894
By opening the message with Thunderbird anyone having Patrick's public-key can immediately start testing this bug with different Operating Systems.
Even though being a PGP/Mime signature this message will show up as valid including the unsigned, attached public key of Waylon Smithers.
At least this is true for Enigmail 1.5.1 on two popular Linux Distro's I tested.
Obviously the (outdated) key does not logically fit in any way to the content of the signed message, it's only for technical demonstration and as example for any compromised attachment.
As well note that the Signature Timestamp is not plausible, but except that Thunderbird's GUI gives no hint if you do not look into the message's source.
Ah, but this is a different topic. You talked about inline PGP and now your linking to a PGP/MIME message. What I said is certainly only true for inline pgp. There is currently a discussion on the mailing list about how to inform about partially signed messages.
Your example is a typical inline PGP signed text mail with an unsigned attachment. Currently, Enigmail does not specially display if an attachment of an inline signed mail has a signature and if yes, it does not automatically verify the signature. I think that behaviour could be improved.
Regarding timestamps: I think it is very difficult to make a statement (what should it say?) if the timestamps of the mail itself and the pgp signature are differing (what difference should be regarded as dangerous?). This could only be a weak sign of a forgery and is not much of an obstacle for an attacker.
The reason why Enigmail is not reporting a missing signature for the particular message is because the attachment is an OpenPGP key.
There is no reason to sign a key using a detached signature. If you want to sign a key, then sign the key as such, and not the file containing a key.