Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <516F5E06.8040500@redhat.com>
Date: Wed, 17 Apr 2013 20:44:22 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Daniel Kahn Gillmor <dkg@...thhorseman.net>, Thomas Biege <thomas@...e.de>,
        patrick@...gmail.net, dkg@...thhorseman.net
Subject: Re: debian: gpg --verify suggests entire file was
 verified, even if file contains auxiliary data

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/17/2013 12:32 PM, Daniel Kahn Gillmor wrote:
> On 04/17/2013 02:23 PM, Kurt Seifried wrote:
>> I've run into this before, sadly enigmail (Thunderbird gpg
>> plugin) displays the same green bar for message signed ok, but
>> displays the text as "Part of the message signed" so unless
>> you're really paying attention, you'll miss it.
>> 
>> My thinking is this:
>> 
>> 1) It's pretty easy to find signed content for people using GPG 
>> 2) It's pretty easy to append/embed signed content into a larger
>> message
>> 
>> So the attack would be: create malicious content/email,
>> embed/append a valid message harvested from somewhere. Send to
>> user. The user verifies then reads the message, unless they are
>> really paying attention they probably won't notice that the
>> content isn't signed properly (e.g. have an email, ton of
>> whitespace, then the signed message). Personally I'm inclined to
>> assign a CVE, enigmail for example does mostly the right thing
>> (makes a distinction between fully signed and partially signed).
>> I think GPG should too. Thoughts/comments before I assign this?
> 
> A similar attack (related to PGP/MIME) has been under discussion on
> the enigmail list last month.  see the thread starting at:
> 
> https://lists.enigmail.net/pipermail/enigmail-users_enigmail.net/2013-March/000721.html
>
>  I think the enigmail issues are distinct from the gpg issues, and
> i don't think they should be conflated into the same CVE.
> 
> In particular, i see the enigmail issues as (security-related)
> UI/UX problems, but i see the gpg problems as (security-related) 
> API/programmatic-use problems.
> 
> By comparison with enigmail, thunderbird's native S/MIME
> verification routines display no cryptographic indicators at all if
> only part of a message is signed.  This means that S/MIME-signed
> messages sent through common mailing list software which attaches a
> text/plain MIME footer (like mailman) will not indicate that they
> are verifiable at all.
> 
> it's not a pretty set of tradeoffs. :/
> 
> --dkg
> 

So I think first off we need to figure out what the behaviour should
be. My thought would be that it should be quit explicit, e.g. "this
entire message/file/etc. was signed by X" or "a part of this
file/message/etc. was signed by X" and so on.

The next challenge is how to signal it to the end user. One challenge
with enigmail is it provides some of the signalling "in band" as it
were (in the email text area) which can be modified by the attacker,
and some of it "out of band: (at the top of the window area it puts
the color bar and text to clarify. With GPG command line it can maybe
say something like "part of this message was signed by X"?

I'm inclined to assign a CVE to this type of vulnerability but I have
no idea how we fix this _properly_. Anyone have ideas?


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRb14FAAoJEBYNRVNeJnmTF/UQAI5niyrCCZ/MXR7kaP6ugzWA
ldKWCMlI3D5GUyuQSabAiKDnNq5o6hevPkNs2RMBO4YtVin9cTcC3Obv3YAttSTQ
N1H5JgroXO+1Q13v0pGJy1olw5SiTaWcyDMrAQ1EJpW5+E/yx+qNIkfMksZ8+NVH
aokzOocX2LMQj7n1FjfB3gO8zIIhTTsRqCKX+cwfJZgJPD3FywySX3DsZZj2dRdo
IgTuuYHAE+ZsNuV/rZO/Plv/KfzjBVu0RHxtaOnowaMZTDrw1LEcj8zPOKV/nOf5
m9IV4oMMSz6zVnlIDABBdj8dZFuPN1Kp72j9ox0fcQjy5E1c+ZQ1alFNg6MmoShm
3olCEX4cLmIRSnxB4G92Y80Pj2XmV/PKHrhwGZpggCGdTwEskXej8VcXiKFjH4JN
sFpT8aHywKtP3GsWDx6fFkFe9Zy4ZPVlbfruySz9H4rFxywJJDbjoydDvBnhxzCy
gffBcYnDPQ1YGnO8WrE8oNMT8jIeCEhOXvd73pgQCy/FvE68X3Q4keSvlwbR1TCE
jfTGQqMS18yTshlISHF2rt9eOEkbDPzxHfFuOE/kWoYizqRfVjRW/WsZM+CYwVwH
bkM+MGgyh7qa0Jb4eYHvqsl0EJkkp55Kuw3vCx3jcJpi3f6IXItpphgJt2rln4bQ
Eop7WmP7qJR1/2y7ExFL
=1b8Q
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.