[liberationtech] Cryptography Leak in Enigmail / GnuPG

Tomer Altman taltman1 at stanford.edu
Mon Jun 2 09:43:11 PDT 2014 

Is this really a cryptographic leak? This seems more like metadata to me. Your subject line makes it sound as if the cryptographic software itself is leaking information about the plain-text.

If your concern is providing details that an attacker can use to crack your encryption, then this is security through obscurity, which has pros and cons:
http://serverfault.com/a/81697

But it sounds like you are more concerned about leaking information such as the user's OS, and other details that can be used to build up a fingerprint of metadata that identifies you.

I'm sure once you start using PGP of any kind, you get a special designation in these surveillance systems. It could actually raise the cost of surveillance by marking *ALL* of your outgoing messages with these PGP-related headers, as that increases the processing burden. In fact, perhaps everyone should include a PGP-encrypted blob whenever they email anyone, in order to increase the volume of messages and cyphertext that the surveillance apparatus has to process.

Can you state precisely the threat model that you are concerned about?

Cheers,

~Tomer



----- Original Message -----
From: "Fabio Pietrosanti (naif)" <lists at infosecurity.ch>
To: liberationtech at lists.stanford.edu
Sent: Monday, June 2, 2014 6:59:43 AM
Subject: Re: [liberationtech] Cryptography Leak in Enigmail / GnuPG

Il 4/28/14, 9:25 AM, Fabio Pietrosanti (naif) ha scritto: 



Il 11/24/13, 2:19 PM, Fabio Pietrosanti (naif) ha scritto: 



I just wanted to notice that the mostly used encryption software like
GnuPG and Enigmail, have some privacy leak that in the XKEYSCORE's ages
could represent a major risk.

a) Enigmail, Thunderbird's PGP plugin, does send "X-Enigmail-Version:"
header on ALL email sent, also the unencrypted one.

b) GnuPG, following the " -----BEGIN PGP MESSAGE-----", does add version
information such as " Version: GnuPG/MacGPG2 v2.0.19 (Darwin)" . 

An update on this issue following intermediate reports of April '14 (following initial report of October '13). 

FIXED: 
- OSX GPGTool (yesterday) http://support.gpgtools.org/discussions/everything/13667-privacy-leak-in-version-and-comment-header 
- GnuPG https://bugs.g10code.com/gnupg/issue1572 
- EnigMail http://sourceforge.net/p/enigmail/bugs/216/ 

YET TO BE FIXED: 
- Outlook Privacy Plugin 
https://code.google.com/p/outlook-privacy-plugin/issues/detail?id=124 

- GPG4Win: "Privacy Leak in Version: and Comment: header" 
http://wald.intevation.org/tracker/index.php?func=detail&aid=6470&group_id=11&atid=126 


-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org 

-- 
Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.

More information about the liberationtech mailing list