GPGMail: Multipart mixed-encrypted messages misrepresent security level

Steven Schlansker's Avatar

Steven Schlansker

10 Nov, 2017 10:33 PM

My colleague and I were testing GPGMail's resilience to MITM style attacks. (Our corporation has decided that all emails shall have a disclaimer attachment, much to our frustration).

Unfortunately, we determined that if a message is sent signed and encrypted, and is modified in transit to prepend an additional MIME section, the separate sections are both rendered but the "Security:" header misleads you into believing the entire message is signed and encrypted.

In the additional information, I have attached a screenshot and full dump of the email in question. Note the section:

--13dd5389-63da-4178-8114-1ac42777e074 Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

CAUTION: This email originated from outside OpenTable. Do not click links o=
r open attachments unless you recognize the sender and know the content is =

was inserted in transit.

The header should indicate that the signature is only valid for part of the mail, either with additional verbiage or by visually delineating the signed section. Otherwise, a MITM can change the contents of a mail without indication of tampering.

Additional info

macOS           10.11.6     15G1611
GPG Suite       2016.10     21  
GPGMail         2.6.2       1169
GPG Keychain    1.3.2       1245
GPGServices     1.11        916 
MacGPG2         2.0.30      884 
GPGPreferences  2.0.1       902 
Libmacgpg       0.7         775 
pinentry        0.9.7       4
  1. Support Staff 1 Posted by Luke Le on 23 Nov, 2017 12:20 AM

    Luke Le's Avatar

    Hi Steven,

    thank your for reporting this issue. While we do have this kind of differentiation when it comes to multiple inline PGP signed parts, it's not available for PGP/MIME messages at the moment.

    I have created a ticket and this discussion will be updated once we make progress on this issue.

  2. Steve closed this discussion on 26 Mar, 2018 01:40 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac