Privacy Leak in Version: and Comment: header

Fabio Pietrosanti (naif)'s Avatar

Fabio Pietrosanti (naif)

24 Nov, 2013 04:58 PM

It has been noted that there are some quite important privacy leak in the
OpenPGP "Version:" and "Comment:" that contain usually very sensitive
information regarding the software version used.

In the NSA XKEYSCORE's ages, those kind of information does provide a very
important weakness.

The Adversary capable of massively monitoring communications, profiling who
encrypt their email communications, can profile the exact version of encryption
software used waiting for a vulnerability to be found.

When a vulnerability is found for the exact version of the encryption software
used, the adversary can exploit the "exposure window" by having a prior
knowledge of the end-point encryption software weakness.

This ticket is to improve GPGTools not to permit, by default, to insert any kind of
"Version:" and "Comment:" headers, unless the end-user explicitly require to do so with a command line argument or a configuration line.

The same privacy leak issue has been reported on GnuPG ticketing system https://bugs.g10code.com/gnupg/issue1572 and Enigmail ticketing system https://sourceforge.net/p/enigmail/bugs/215/

  1. Support Staff 1 Posted by Luke Le on 25 Nov, 2013 08:34 AM

    Luke Le's Avatar

    We'll see what we can do about this.
    One problem which comes to mind is, that we've encountered clients which rely on the version information, and don't parse the PGP message in absence of such a version.
    Your point however is perfectly valid of course.

  2. Support Staff 2 Posted by Steve on 30 Jan, 2014 05:17 PM

    Steve's Avatar

    Hi Fabio,

    first, thanks a lot that input. This is a delicate question as is changing defaults. We do our best to keep users on the latest MacGPG2 release. But you make a valid point here.

    For documentations sake: It is currently possible to deactivate the display of both version and comment. That is done very easily via System Preferences > GPGPreferences (see attached screenshot for what options to set).

    As for the default, basically what Luke said. If some clients require this, I'm not sure if changing the default is currently an ideal solution.

    All the best, steve

  3. 3 Posted by Fabio Pietrosan... on 02 Feb, 2014 09:08 AM

    Fabio Pietrosanti's Avatar

    I see that Version information has been fixed by the GnuPG project and in
    all of the new release it's reported only the major version.

    I expect that this is the only version information being used by other
    clients.

    So, regarding the Comment field, that's where the GnuPG tools
    identification is reported, because it's not used we could remove it by
    default.

    What do you think?

  4. 4 Posted by Fabio Pietrosan... on 28 Apr, 2014 07:20 AM

    Fabio Pietrosanti's Avatar

    Hi,

    today Enigmail has also been fixed.

    So, now Enigmail and GnuPG has both fixed this issue:

    GnuPG has been fixed:
    https://bugs.g10code.com/gnupg/issue1572

    EnigMail has been fixed (yesterday):
    http://sourceforge.net/p/enigmail/bugs/216/

    Would you consider providing such safe defaults?

  5. Support Staff 5 Posted by Steve on 01 Jun, 2014 03:08 PM

    Steve's Avatar

    Hi Fabio,

    thanks for reminding us of this. And thanks for cross linking all the issues linking the crypto community together and allowing to keep track of what's happening in the other development teams departements :)

    This is fixed. New installations will not display the version info.

    All the best,
    steve

  6. Steve closed this discussion on 05 Aug, 2014 10:58 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac