Privacy Leak in Version: and Comment: header
It has been noted that there are some quite important privacy
leak in the
OpenPGP "Version:" and "Comment:" that contain usually very
sensitive
information regarding the software version used.
In the NSA XKEYSCORE's ages, those kind of information does
provide a very
important weakness.
The Adversary capable of massively monitoring communications,
profiling who
encrypt their email communications, can profile the exact version
of encryption
software used waiting for a vulnerability to be found.
When a vulnerability is found for the exact version of the
encryption software
used, the adversary can exploit the "exposure window" by having a
prior
knowledge of the end-point encryption software weakness.
This ticket is to improve GPGTools not to permit, by default, to
insert any kind of
"Version:" and "Comment:" headers, unless the end-user explicitly
require to do so with a command line argument or a configuration
line.
The same privacy leak issue has been reported on GnuPG ticketing system https://bugs.g10code.com/gnupg/issue1572 and Enigmail ticketing system https://sourceforge.net/p/enigmail/bugs/215/
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Luke Le on 25 Nov, 2013 08:34 AM
We'll see what we can do about this.
One problem which comes to mind is, that we've encountered clients which rely on the version information, and don't parse the PGP message in absence of such a version.
Your point however is perfectly valid of course.
Support Staff 2 Posted by Steve on 30 Jan, 2014 05:17 PM
Hi Fabio,
first, thanks a lot that input. This is a delicate question as is changing defaults. We do our best to keep users on the latest MacGPG2 release. But you make a valid point here.
For documentations sake: It is currently possible to deactivate the display of both version and comment. That is done very easily via System Preferences > GPGPreferences (see attached screenshot for what options to set).
As for the default, basically what Luke said. If some clients require this, I'm not sure if changing the default is currently an ideal solution.
All the best, steve
3 Posted by Fabio Pietrosan... on 02 Feb, 2014 09:08 AM
I see that Version information has been fixed by the GnuPG project and in
all of the new release it's reported only the major version.
I expect that this is the only version information being used by other
clients.
So, regarding the Comment field, that's where the GnuPG tools
identification is reported, because it's not used we could remove it by
default.
What do you think?
4 Posted by Fabio Pietrosan... on 28 Apr, 2014 07:20 AM
Hi,
today Enigmail has also been fixed.
So, now Enigmail and GnuPG has both fixed this issue:
GnuPG has been fixed:
https://bugs.g10code.com/gnupg/issue1572
EnigMail has been fixed (yesterday):
http://sourceforge.net/p/enigmail/bugs/216/
Would you consider providing such safe defaults?
Support Staff 5 Posted by Steve on 01 Jun, 2014 03:08 PM
Hi Fabio,
thanks for reminding us of this. And thanks for cross linking all the issues linking the crypto community together and allowing to keep track of what's happening in the other development teams departements :)
This is fixed. New installations will not display the version info.
All the best,
steve
Steve closed this discussion on 05 Aug, 2014 10:58 AM.