[MlMt] PSA - PGP / GPG issue !

[Benny Kjær Nielsen]

On 14 May 2018, at 13:28, Nicholas Vahalik wrote:

> I think they are talking about this: https://efail.de
>
>> Not directly a MM issue

It is definitely also related to MailMate and MailMate 1.10 (February 
10th) is listed in the tables of the paper.

>> but I think it should be pointed out to everybody here using GPG (I 
>> certainly do):
>>
>> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

Ok, this is a tricky email to write. I'd like to write that you are safe 
using MailMate, but I might have missed something and then I would look 
really stupid. MailMate is a one-man business and there are never any 
guarantees. I make mistakes and the best I can tell you is that I'll 
work to fix those mistakes when an issue is reported.

And this is exactly what happened when the `efail` project contacted me. 
The first issue was reported on February 10th and the following week or 
so several other issues were reported. Most of them I fixed quickly and 
I released test releases including these fixes. I couldn't exactly write 
what I had done in the release notes because of the non-disclosure 
nature of such reports, but all of my fixes were included in the public 
release of version 1.11. (March 12th).

The worst type of exploit was a technique which allowed a 
man-in-the-middle attacker to take any encrypted email and then send an 
email to the author of this email which would effectively decrypt the 
email and send the result to a server, for example, using an `<img src>` 
HTML reference. Other issues reported were less serious, for example, 
various techniques to work around image blocking if the attacker just 
wanted to know when (and to some extent where) you read an email. This 
could, for example, be done using so-called S/MIME intermediate 
certificates or by using a special fake DNS server and so-called DNS 
prefetching.

As a general stop-gap solution for similar types of problems I've also 
changed MailMate to always block external references when dealing with 
encrypted content in emails. This is, most of the time, not a problem 
since such emails are relatively rare.

I've fixed all of the above, but if someone finds out that I missed 
something then *please* let me know.

This is just me ranting a bit: Given the above, I'm a bit disappointed 
by the way these issues are now reported. I released a (I presume) fixed 
version of MailMate more than 2 months ago, but all I can find now with 
regard to the `efail` project is references to MailMate 1.10. There's 
not even a list online of the status of the email clients involved. In 
this regard, I preferred how the mailsploit issues were reported 
although in that case I did not receive any prior warning. I also liked 
that they provided an easy way for users to generate emails which could 
test their email clients. That said, I'm *very* glad that I did get 
prior notice of these `efail` issues since some of them were pretty hard 
to fix.

Other notes:

* `efail` affected both OpenPGP and S/MIME. In MailMate, the S/MIME had 
more issues than OpenPGP.
* It doesn't help much to configure your email client to only generate 
plain text emails. This is not the problem. If you want to be extra safe 
then you can use “Prefer Plain Text” in the Composer preferences 
pane and the 
[`MmNeverDisplayHTML`](https://manual.mailmate-app.com/hidden_preferences#visual-appearance) 
hidden preference. But if my fixes work as expected then you shouldn't 
need to do so.
* I'm not a security expert and some of the `efail` issues are very 
smart and something I would never have considered to be a problem. It is 
quite possible that other issues exist which no-one have thought of yet.

I hope this clears it up a bit. (I haven't read the paper or the 
homepage in detail yet and I might have missed something.)

-- 
Benny
https://freron.com/become_a_mailmate_patron/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20180514/417571fb/attachment.html>