[liberationtech] Cryptography Leak in Enigmail / GnuPG
Fabio Pietrosanti (naif)
lists at infosecurity.ch
Sun Nov 24 05:19:05 PST 2013
I just wanted to notice that the mostly used encryption software like
GnuPG and Enigmail, have some privacy leak that in the XKEYSCORE's ages
could represent a major risk.
a) Enigmail, Thunderbird's PGP plugin, does send "X-Enigmail-Version:"
header on ALL email sent, also the unencrypted one.
b) GnuPG, following the " -----BEGIN PGP MESSAGE-----", does add version
information such as " Version: GnuPG/MacGPG2 v2.0.19 (Darwin)" .
So, from a adversary perspective monitoring traffic encrypted with GnuPG
and Enigmail, those are extremely valuable information to plan and
prepare for and end-point attack, profiling the end-user target.
Are those pieces of information really needed to make the Enigmail /
GnuPG software working?
--
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org
More information about the liberationtech
mailing list