[liberationtech] Cryptography Leak in Enigmail / GnuPG
coderman
coderman at gmail.com
Mon Nov 25 15:43:55 PST 2013
On Sun, Nov 24, 2013 at 9:26 AM, Moritz Bartl <moritz at torservers.net> wrote:
> ...
> Important to note here is that by default, Enigmail adds the sender to
> the recipient list -- which is useful if you want to reread sent mail,
> but it also means that any encrypted mail contains not only the
> recipient key ID (which at least some users know), but also the sender
> key ID.
>
> Adding to the pain, if you receive a PGP message without keyID and have
> multiple private keys, GPG/Enigmail will dumbly rotate through the keys,
> without taking the actual email addresses (sender/recipient pair) from
> the mail header into account. This can only be solved on Enigmail-level,
> since only Enigmail "knows" about email headers.
>
> Thank you Fabio for filing the tickets! Maybe some good will come out of
> that.
email for private communication is folly, nevertheless,
it would be useful to use these fields for mis-information. e.g.
"camouflage". by inserting incorrect software in "BEGIN PGP MESSAGE",
by inserting a different version in "X-EnigMail-Version" or "Version:
and Comment: headers".
similar to the "Windows XP" mode of Tails, this camouflage would serve
to mislead potential attackers who would use this information for
targeted client side attacks.
best regards,
More information about the liberationtech
mailing list