Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Cryptography Leak in Enigmail / GnuPG

Fabio Pietrosanti (naif) lists at infosecurity.ch
Mon Apr 28 00:25:31 PDT 2014


Il 11/24/13, 2:19 PM, Fabio Pietrosanti (naif) ha scritto:
> I just wanted to notice that the mostly used encryption software like
> GnuPG and Enigmail, have some privacy leak that in the XKEYSCORE's ages
> could represent a major risk.
>
> a) Enigmail, Thunderbird's PGP plugin, does send "X-Enigmail-Version:"
> header on ALL email sent, also the unencrypted one.
>
> b) GnuPG, following the " -----BEGIN PGP MESSAGE-----", does add version
> information such as " Version: GnuPG/MacGPG2 v2.0.19 (Darwin)" .

An update on this issue following reports of October '13 :

FIXED:

- GnuPG
https://bugs.g10code.com/gnupg/issue1572

- EnigMail (yesterday)
http://sourceforge.net/p/enigmail/bugs/216/


NOT FIXED:

- GPGTool
http://support.gpgtools.org/discussions/everything/13667-privacy-leak-in-version-and-comment-header

- Outlook Privacy Plugin
https://code.google.com/p/outlook-privacy-plugin/issues/detail?id=124

- GPG4Win: "Privacy Leak in Version: and Comment: header"
http://wald.intevation.org/tracker/index.php?func=detail&aid=6470&group_id=11&atid=126


-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140428/3fe688d4/attachment.html>


More information about the liberationtech mailing list