Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Cryptography Leak in Enigmail / GnuPG

Tomer Altman taltman1 at
Mon Jun 2 09:43:11 PDT 2014

Is this really a cryptographic leak? This seems more like metadata to me. Your subject line makes it sound as if the cryptographic software itself is leaking information about the plain-text.

If your concern is providing details that an attacker can use to crack your encryption, then this is security through obscurity, which has pros and cons:

But it sounds like you are more concerned about leaking information such as the user's OS, and other details that can be used to build up a fingerprint of metadata that identifies you.

I'm sure once you start using PGP of any kind, you get a special designation in these surveillance systems. It could actually raise the cost of surveillance by marking *ALL* of your outgoing messages with these PGP-related headers, as that increases the processing burden. In fact, perhaps everyone should include a PGP-encrypted blob whenever they email anyone, in order to increase the volume of messages and cyphertext that the surveillance apparatus has to process.

Can you state precisely the threat model that you are concerned about?



----- Original Message -----
From: "Fabio Pietrosanti (naif)" <lists at>
To: liberationtech at
Sent: Monday, June 2, 2014 6:59:43 AM
Subject: Re: [liberationtech] Cryptography Leak in Enigmail / GnuPG

Il 4/28/14, 9:25 AM, Fabio Pietrosanti (naif) ha scritto: 

Il 11/24/13, 2:19 PM, Fabio Pietrosanti (naif) ha scritto: 

I just wanted to notice that the mostly used encryption software like
GnuPG and Enigmail, have some privacy leak that in the XKEYSCORE's ages
could represent a major risk.

a) Enigmail, Thunderbird's PGP plugin, does send "X-Enigmail-Version:"
header on ALL email sent, also the unencrypted one.

b) GnuPG, following the " -----BEGIN PGP MESSAGE-----", does add version
information such as " Version: GnuPG/MacGPG2 v2.0.19 (Darwin)" . 

An update on this issue following intermediate reports of April '14 (following initial report of October '13). 

- OSX GPGTool (yesterday) 
- GnuPG 
- EnigMail 

- Outlook Privacy Plugin 

- GPG4Win: "Privacy Leak in Version: and Comment: header" 

Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights - - 

Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: Unsubscribe, change to digest, or change password by emailing moderator at companys at

More information about the liberationtech mailing list