A much-trailed report from a team of security researchers at Münster University in Germany landed with a clang today, after cybersecurity professor Sebastian Schinzel announced that his team would publish “critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC”.
The warning had caused severe concern among privacy advocates.
PGP is a popular open-source end-to-end encryption standard widely used by political dissidents, reporters and businesses seeking security, while S/MIME (Secure/Multipurpose Internet Mail Extensions) is an asymmetric cryptographic technology that enables users to send encrypted emails with a digital signature.
Digital civil liberties group the EFF said in a rapidly issued EFF advisory said: “These vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”
The civil liberties organisation added: “Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.” It named Enigmail for Thunderbird, GPGTools for Apple Mail and Gpg4win for Outlook and offered instructions to disable them.
With businesses, political dissidents and journalists all relying on PGP to maintain a degree of online privacy, any vulnerability would be critical.
Yet as a row about the research began on Twitter, the full report was leaked early by Germany’s Suddeutsche Zeitung newspaper. Many in the privacy community were unimpressed by how the disclosure had been handled. (The report, ultimately, detailed vulnerabilities in email clients and not PGP itself.)
The issue had been “overblown” by the EFF, said Werner Koch, of GnuPG.
He described the vulnerability as follows: “The topic of that paper is that HTML is used as a back channel to create an oracle for modified encrypted mails.”
“It is long known that HTML mails and in particular external links like <img href=”tla.org/TAG”/> are evil if the MUA actually honors them (which many meanwhile seem to do again; see all these newsletters).”
“Due to broken MIME parsers a bunch of MUAs seem to concatenate decrypted HTML mime parts which makes it easy to plant such HTML snippets. There are two ways to mitigate this attack:
– Don’t use HTML mails. Or if you really need to read them use a proper MIME parser and disallow any access to external links.
– Use authenticated encryption. The latter is actually easy for OpenPGP because we started to use authenticated encryption (AE) since 2000 or 2001. Our AE is called MDC (Modification detection code) and was back then introduced for a very similar attack. Unfortunately some OpenPGP implementations were late to introduce MDC and thus GPG could not fail hard on receiving a mail without an MDC.”
Thunderbird meanwhile said: “A patch that addresses the last known exploit vector has been submitted, and is currently in review and being tested. We expect to see this land in an update to our users before the end of the week.”
“Overblown and Disproportionate”
ProtonMail was among those hitting back at the disclosure.
The Switzerland-based private email said it was “safe against the efail vulnerability”, adding that “The real vulnerability is implementation errors in various PGP clients. PGP (and OpenPGP) is fine. Any service that uses our openpgpjs library is also safe as long the default settings aren’t changed.”
The company added: “Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the story to EFF and mainstream media and getting an irresponsible recommendation published (disable PGP), ignoring the fact that many (Enigmail, etc) are already patched… The warning is overblown and disproportionate, and likely issued without fully understanding the issue. It was irresponsible for the researchers to not correct that.”
But Google cryptographer Filippo Valsorda, responding to the row on Twitter, said: “I really don’t get the community’s negative reaction. This is a perfect case study for proper AEADs, safe APIs, and against secure email in general.”
He added: “No, in 2018 you don’t get to claim the high ground and blame users and implementations if your crypto API returns the plaintext on a decryption error. At most you can say “sorry we are a legacy system, no one knew better then, it’s time to migrate off”.
No, in 2018 you don’t get to claim the high ground and blame users and implementations if your crypto API returns the plaintext on a decryption error.
At most you can say “sorry we are a legacy system, no one knew better then, it’s time to migrate off”.
— Filippo Valsorda (@FiloSottile) May 14, 2018