[liberationtech] Cryptography Leak in Enigmail / GnuPG
Jacob Appelbaum
jacob at appelbaum.net
Sun Nov 24 08:39:14 PST 2013
Fabio Pietrosanti (naif):
> I just wanted to notice that the mostly used encryption software like
> GnuPG and Enigmail, have some privacy leak that in the XKEYSCORE's ages
> could represent a major risk.
>
> a) Enigmail, Thunderbird's PGP plugin, does send "X-Enigmail-Version:"
> header on ALL email sent, also the unencrypted one.
>
> b) GnuPG, following the " -----BEGIN PGP MESSAGE-----", does add version
> information such as " Version: GnuPG/MacGPG2 v2.0.19 (Darwin)" .
>
> So, from a adversary perspective monitoring traffic encrypted with GnuPG
> and Enigmail, those are extremely valuable information to plan and
> prepare for and end-point attack, profiling the end-user target.
>
> Are those pieces of information really needed to make the Enigmail /
> GnuPG software working?
>
When a user uses TorBirdy with Enigmail and Thunderbird, we disable
those information leaks. We also have a mode (disabled by default due to
user complaints) to remove the keyid of the recipient from the PGP
encrypted message itself.
All the best,
Jacob
More information about the liberationtech
mailing list