Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Cryptography Leak in Enigmail / GnuPG

Fabio Pietrosanti (naif) lists at
Mon Jun 2 14:06:16 PDT 2014

Il 6/2/14, 6:43 PM, Tomer Altman ha scritto:
> Can you state precisely the threat model that you are concerned about?
You are right, the subject is not directly related to "cryptography" but
to "security" .

The threat model is better described in the ticket that has been opened
to various PGP email client's plugin such as 

With the fixes that has been done in GnuPG, Enigmail and GPGTool, such
software should provide safe default against this issue.

It has been also reported that Symantec Encryption Desktop (formerly PGP
Desktop) add multiple fingerprint to header leading to information
leak.  An issue ticket has been opened also for such commercial product.

The commercial PGP software add the following headers, at least not
adding the exact version number:

Received: from XXXXXXX
  by XXXX-YYYYY (PGP Universal service);
  Sun, XX XXX 20XX 11:11:11 +0100
X-PGP-Universal: processed;
	by XX-XXXXX on Sun, XX XXX 20XX 11:11:11 +0100

Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights - -

More information about the liberationtech mailing list