Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Cryptography Leak in Enigmail / GnuPG

Jacob Appelbaum jacob at appelbaum.net
Sun Nov 24 08:39:14 PST 2013


Fabio Pietrosanti (naif):
> I just wanted to notice that the mostly used encryption software like
> GnuPG and Enigmail, have some privacy leak that in the XKEYSCORE's ages
> could represent a major risk.
> 
> a) Enigmail, Thunderbird's PGP plugin, does send "X-Enigmail-Version:"
> header on ALL email sent, also the unencrypted one.
> 
> b) GnuPG, following the " -----BEGIN PGP MESSAGE-----", does add version
> information such as " Version: GnuPG/MacGPG2 v2.0.19 (Darwin)" .
> 
> So, from a adversary perspective monitoring traffic encrypted with GnuPG
> and Enigmail, those are extremely valuable information to plan and
> prepare for and end-point attack, profiling the end-user target.
> 
> Are those pieces of information really needed to make the Enigmail /
> GnuPG software working?
> 

When a user uses TorBirdy with Enigmail and Thunderbird, we disable
those information leaks. We also have a mode (disabled by default due to
user complaints) to remove the keyid of the recipient from the PGP
encrypted message itself.

All the best,
Jacob



More information about the liberationtech mailing list