Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Cryptography Leak in Enigmail / GnuPG

Tom O winterfilth at gmail.com
Mon Jun 2 13:48:01 PDT 2014


As far as I was aware all of these could be turned off as an option in the
interface.



On Tuesday, June 3, 2014, Tomer Altman <taltman1 at stanford.edu> wrote:

> Is this really a cryptographic leak? This seems more like metadata to me.
> Your subject line makes it sound as if the cryptographic software itself is
> leaking information about the plain-text.
>
> If your concern is providing details that an attacker can use to crack
> your encryption, then this is security through obscurity, which has pros
> and cons:
> http://serverfault.com/a/81697
>
> But it sounds like you are more concerned about leaking information such
> as the user's OS, and other details that can be used to build up a
> fingerprint of metadata that identifies you.
>
> I'm sure once you start using PGP of any kind, you get a special
> designation in these surveillance systems. It could actually raise the cost
> of surveillance by marking *ALL* of your outgoing messages with these
> PGP-related headers, as that increases the processing burden. In fact,
> perhaps everyone should include a PGP-encrypted blob whenever they email
> anyone, in order to increase the volume of messages and cyphertext that the
> surveillance apparatus has to process.
>
> Can you state precisely the threat model that you are concerned about?
>
> Cheers,
>
> ~Tomer
>
>
>
> ----- Original Message -----
> From: "Fabio Pietrosanti (naif)" <lists at infosecurity.ch <javascript:;>>
> To: liberationtech at lists.stanford.edu <javascript:;>
> Sent: Monday, June 2, 2014 6:59:43 AM
> Subject: Re: [liberationtech] Cryptography Leak in Enigmail / GnuPG
>
> Il 4/28/14, 9:25 AM, Fabio Pietrosanti (naif) ha scritto:
>
>
>
> Il 11/24/13, 2:19 PM, Fabio Pietrosanti (naif) ha scritto:
>
>
>
> I just wanted to notice that the mostly used encryption software like
> GnuPG and Enigmail, have some privacy leak that in the XKEYSCORE's ages
> could represent a major risk.
>
> a) Enigmail, Thunderbird's PGP plugin, does send "X-Enigmail-Version:"
> header on ALL email sent, also the unencrypted one.
>
> b) GnuPG, following the " -----BEGIN PGP MESSAGE-----", does add version
> information such as " Version: GnuPG/MacGPG2 v2.0.19 (Darwin)" .
>
> An update on this issue following intermediate reports of April '14
> (following initial report of October '13).
>
> FIXED:
> - OSX GPGTool (yesterday)
> http://support.gpgtools.org/discussions/everything/13667-privacy-leak-in-version-and-comment-header
> - GnuPG https://bugs.g10code.com/gnupg/issue1572
> - EnigMail http://sourceforge.net/p/enigmail/bugs/216/
>
> YET TO BE FIXED:
> - Outlook Privacy Plugin
> https://code.google.com/p/outlook-privacy-plugin/issues/detail?id=124
>
> - GPG4Win: "Privacy Leak in Version: and Comment: header"
>
> http://wald.intevation.org/tracker/index.php?func=detail&aid=6470&group_id=11&atid=126
>
>
> --
> Fabio Pietrosanti (naif)
> HERMES - Center for Transparency and Digital Human Rights
> http://logioshermes.org - http://globaleaks.org - http://tor2web.org
>
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu <javascript:;>.
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu <javascript:;>.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140603/403f7a0b/attachment.html>


More information about the liberationtech mailing list