Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Cryptography Leak in Enigmail / GnuPG

Fabio Pietrosanti (naif) lists at infosecurity.ch
Sun Nov 24 05:19:05 PST 2013


I just wanted to notice that the mostly used encryption software like
GnuPG and Enigmail, have some privacy leak that in the XKEYSCORE's ages
could represent a major risk.

a) Enigmail, Thunderbird's PGP plugin, does send "X-Enigmail-Version:"
header on ALL email sent, also the unencrypted one.

b) GnuPG, following the " -----BEGIN PGP MESSAGE-----", does add version
information such as " Version: GnuPG/MacGPG2 v2.0.19 (Darwin)" .

So, from a adversary perspective monitoring traffic encrypted with GnuPG
and Enigmail, those are extremely valuable information to plan and
prepare for and end-point attack, profiling the end-user target.

Are those pieces of information really needed to make the Enigmail /
GnuPG software working?

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org




More information about the liberationtech mailing list