Profile picture
Matthew Green @matthew_d_green
, 16 tweets, 3 min read Read on Twitter
New vulnerabilities in many PGP and S/MIME enabled email clients. Allows exfiltration of plaintext by mauling HTML emails. A few thoughts. efail.de
In a nutshell, if I intercept an encrypted email sent to you, I can modify that email into a new encrypted email that contains custom HTML. In many GUI email clients, this HTML can exfiltrate the plaintext to a remote server. Ouch. 2/
It’s an extremely cool attack and kind of a masterpiece in exploiting bad crypto, combined with a whole lot of sloppiness on the part of mail client developers. 3/
The real news here is probably about S/MIME, which is actually used in corporate e-mail settings. Attacking and modifying encrypted email stored on servers could actually happen, so this is a big deal. 4/
Plus the attack on S/MIME is straightforward because it’s (a) a dumb protocol, and (b) a simple protocol not filled with legacy cruft, and (c) it’s built into email clients. Dumb and simple and one vendor to blame. 5/
But of course the attack also implicated the garbage-fire that is the PGP ecosystem so of course that’s what everyone is talking about. Over on HN the “its not PGP it’s mail clients” dance has begun so I guess we have to talk about that. 6/
So let me just cut through some of that. If you were using GnuPG on the command line and checking your error results, it’s absolutely true that you’re fine. If you’ve been using (one of several) GUI clients with PGP encryption, you were anything but fine. 7/
Put this differently: if any properly integrated messaging system like Signal or iMessage had similar flaws, we would all correctly say that the system was broken and unsafe. (In fact, we did: blog.cryptographyengineering.com/2016/03/21/att…)
But when it comes to PGP, the quality expectations on the crypto are low because it was invented in the Precambrian era. So it doesn’t do proper authentication except as an optional afterthought. 9/
Here’s Werner Koch’s explanation. See: PGP has supported proper optional message authentication (which stops this attack) since 2001, but it can’t be made mandatory because “some implementations haven’t kept up.” 10/
I JUST CHECKED AND IT IS 2018, WERNER. I THINK WE CAN MAKE AUTHENTICATED ENCRYPTION MANDATORY NOW. 11/
So in summary, PGP clients are vulnerable because 17 years after a vulnerability was known, the mitigation was not made a default in GnuPG and defense was instead “left to PGP clients”, which also make a convenient scapegoat when it goes pear-shaped. 12/
Moving on from the question of who is to blame, there are two neat findings in this work. The first is that most mail clients are (were) *way* too willing to reach out to remote servers, even when set up not to. This is: yikes.
The other stuff is more technical and of academic interest: PGP uses DEFLATE compression, which makes tweaking emails much harder — when you’re working blind and can’t see the plaintext. But even cruft like this is no real defense. 14/
So in summary: what do these attacks teach us? It’s frustrating because in terms of new flaws and mitigations, the answer is: almost nothing. 15/
In practical terms, however, the lesson is this: there is no such thing as a ‘theoretical vulnerability’. There are exploitable vulnerabilities, and vulnerabilities that haven’t been exploited yet. We need to build systems like we recognize this. 16/16
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Matthew Green
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @matthew_d_green see all

Profile picture
The Facebook stablecoin (if it works, scales, gets deployed and adopted by non-Facebook companies, doesn’t get regulated into dust) is going to be a massive game-changer for the financial services industry. Fight me.
Hell, even if Facebook is able to make a credible run at deploying the thing, it will give them huge leverage with their banking relationships. No more closed (to FB) instant networks like Zelle, reduced transaction fees, etc.
Summary of the comments: (1) a bunch of people seem to think asset-backed stablecoins won’t be allowed by regulators, or that people won’t use/trust them. That horse has already bolted. google.com/amp/s/www.coin…
Read 5 tweets
Profile picture
The theory, for what it’s worth, was that the big brand name services would behave better than the fly-by-night shady data brokers. Much as CVS is perceived as less likely to put Fentanyl into your medicine than, say, the drug dealer on the corner.
The sole redeeming feature of the centralization of the web was supposed to be improved data handling. Better security and oversight of partners (like ad networks etc.) Instead we got Facebook treating your data the way a teenager treats a house when the parents go out of town.
The Facebooks and Googles would do this voluntarily, in part because it’s smart business — don’t give away the store. But mostly because it’s way easier for governments to target them with punitive regulations.
Read 4 tweets
Profile picture
@LargeCardinal The group messaging mechanism is very different. In Signal (app) group messages are layered on top of the existing pairwise messaging system. To add a new user, you (an existing user) have to send encrypted control messages to each existing user. The server can’t do this.
@LargeCardinal In fact, the Signal server doesn’t even know what a group message is. As far as it’s concerned, when I send a message to a group of N people, it just looks like I’m sending a bunch of pairwise messages at the same time.
@LargeCardinal In WhatsApp (as of a few months ago) the server knows what group messages are. It actually sends special control (add/remove) requests to the members of the group, and it handles multiplexing group messages to all of the other users.
Read 4 tweets

Related threads

Profile picture
#New Traders, Understand #Mathematics Of #Profit In Market Before You Put Hard #Earned Money On Risk.

Expectancy = Success Rate x Reward Risk Ratio

Lets Talk About Expectancy Of Short Term Directional Trading System.

Read On (1/n)
Success Rate = No Of Profitable Tades/ No Of Loss Making Trades

Reward Risk Ratio = Average Profit Per Trade / Average Loss Per Trade

If Success Rate is 0.5 and Reward Risk 2, Then

Expectancy = 2 x 0.5 =1

For Making Profit, Expectancy Should Be Positive Number (2/n)
To Calculate Expectancy, You Need Defined System With Rules To Get Success Rate and Reward Risk. If You Have No System To Take Decisions, You Are Hanging In Thin Air and Will Never No Whether You Will Keep Making Or Loosing Money In Future (3/n)
Read 12 tweets
Profile picture
#NEW on ARC2020: #CAP & #MFF | Eco-Spin without Public Goods Substance.
Its been 2 weeks since the MFF proposals, here's our round up of some of the perspectives so far.
All perspective-givers tagged in picture.
arc2020.eu/cap-mff-eco-sp…
What's needed?
@davidbaldock & Allan Buckwell of @IEEP_eu:
1: Sufficient funding for environmental measures in Pillar 1
2: Specifics for New Delivery Model
3: Flexibility for Pillar 1 to 2 transfers
4. Fund ANCs under Pillar 1
arc2020.eu/cap-mff-eco-sp…
#MFF #FutureofCAP #CAP
And who said: "unconditional direct income support to farmers is manifestly absurd in today’s world when it maintains uncompetitive farming practices that have negative implications for the climate, the environment or people’s health"?
Why @AnnikaAhtonen of @epc_eu
Read 8 tweets
Profile picture
I got up at 6am yesterday. Shortly before going to bed last night, #Efail broke. Since then I've been deluged in messages from very scared people who have wanted and needed to hear things are not as bad as they're being made out to be. 1/
I am literally hallucinating from sleep deprivation. I'm still here. Still answering DMs, emails, Google Hangout messages, Signal messages, more. I'm talking to journalists who are trying to get another take.

I am *exhausted*. 2/
This is why responsible disclosure is so necessary. Irresponsible disclosure terrifies people. It might be good for clicks and pageviews, but we all pay the price for it in lost sleep. 3/
Read 7 tweets
Profile picture
A new security vulnerability has been discovered in PGP (and GPG) that affects a range of email clients and plugins. To protect yourself, EFF highly recommends that for now you uninstall or disable your PGP email plug-in. #efail 1/4 eff.org/deeplinks/2018…
Here are instructions for disabling the Enigmail or GPGTools plug-ins in some common email clients:
Thunderbird: eff.org/deeplinks/2018…
Apple Mail: eff.org/deeplinks/2018…
Outlook: eff.org/deeplinks/2018…
More details about the vulnerability will be made public on 2018-05-15 07:00 UTC. We will release more explanations and analysis then.
Read 5 tweets
Profile picture
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4
There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: eff.org/deeplinks/2018… #efail 2/4
Here are @EFF’s guides for disabling PGP/GPG in Thunderbird eff.org/deeplinks/2018…, Apple Mail eff.org/deeplinks/2018…, and Outlook eff.org/deeplinks/2018…. #efail 3/4
Read 4 tweets
Profile picture
#New PA cong. map increases D chance of winning the House majority by 4%. They only need a 6.8% generic ballot margin now (down from 7.7) to be favored.

Diff. will be closer to 10% in Nov when uncertainty from polls is ⬇️. Redraw is a very big deal.

One major reason the new PA map is such a big gain for Democrats is that it solidifies, not just tips, PA districts in Philly burbs. Also creates one additional vulnerable R district. (Easily seen in this map made by @JMilesColeman)
My forecasting model will have new PA map in the near future. This is not just a simple switch; it’s a coding redesign, restructuring of input, & drawing new geographic files. Takes a while (for me, a student).

In the meantime, just add 3-4% to the model: bit.ly/2018_house
Read 4 tweets

Trending hashtags

#PodestaEmails #Traitors #Breitbart #MFF #CAP #ProTip #AwanLaptop #drones #MoreComing #TrustThePlan #ThoughtsAndPrayers #BadgeOfHonor #spin #QProofs #FBI #AllForALarp #Israel #PA #NeverTrump #New #Xbox #Thiel #cats #NeverTrumps #NewYork

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!