Search Mailing List Archives
[liberationtech] Cryptography Leak in Enigmail / GnuPG
jacob at appelbaum.net
Sun Nov 24 08:39:14 PST 2013
Fabio Pietrosanti (naif):
> I just wanted to notice that the mostly used encryption software like
> GnuPG and Enigmail, have some privacy leak that in the XKEYSCORE's ages
> could represent a major risk.
> a) Enigmail, Thunderbird's PGP plugin, does send "X-Enigmail-Version:"
> header on ALL email sent, also the unencrypted one.
> b) GnuPG, following the " -----BEGIN PGP MESSAGE-----", does add version
> information such as " Version: GnuPG/MacGPG2 v2.0.19 (Darwin)" .
> So, from a adversary perspective monitoring traffic encrypted with GnuPG
> and Enigmail, those are extremely valuable information to plan and
> prepare for and end-point attack, profiling the end-user target.
> Are those pieces of information really needed to make the Enigmail /
> GnuPG software working?
When a user uses TorBirdy with Enigmail and Thunderbird, we disable
those information leaks. We also have a mode (disabled by default due to
user complaints) to remove the keyid of the recipient from the PGP
encrypted message itself.
All the best,
More information about the liberationtech