Security
End-To-End webmail encryption
In early June, a team at Google released some code that brings support for OpenPGP encryption to webmail clients running in the Chrome/Chromium browser. Called simply End-To-End, the initial release was made in source form only—for the purposes of security review.
End-To-End was announced in a June 3 blog post. It is designed to be compiled as a browser extension for Chrome or Chromium, and it provides webmail clients running in those browsers with OpenPGP-compatible message encryption and decryption—including support for signed messages. The blog post puts End-To-End into the context of Google's ongoing security enhancements for Gmail, but claims End-To-End itself is not a Gmail-specific program. Nevertheless, at the moment there is not an official list of which other webmail services are supported; in fact, the only other one referenced is a bug report indicating some problems using End-To-End with the open-source Zimbra client.
![[The welcome screen in End-To-End]](https://static.lwn.net/images/2014/06-ete-welcome-sm.png)
When up and running, End-To-End allows users to compose an outgoing message, then encrypt and sign it locally with an OpenPGP key. End-To-End can import an existing OpenPGP keyring, which it then stores in its own localStorage area so that the keys are accessible from within Chrome/Chromium's sandbox. It can also generate a new key and keyring, though it supports only Elliptic Curve (EC) key generation. Existing keys—both private and public—of non-EC types are still supported for all other operations. End-To-End's keyring is separate from any other OpenPGP keyring the user might already posses, so the public keys of other users must be imported into End-To-End's keyring before they can be used. Users can either import the entire external keyring during setup, or import each key individually (which is an option presented when opening an encrypted message).
The extension differs a bit from other OpenPGP implementations in that it stores the user's private and public keys on a single keyring, and only supports encrypting the entire keyring with a passphrase, rather than individual keys. The FAQ on the main page says that this was a decision made to minimize the number of passphrases users are required to remember.
Usage
At this point, End-To-End is provided as source code only, which users must build and manually install as a browser extension. For those who do not use Chrome/Chromium regularly, note that it is also necessary to enable "Developer mode" in the browser so that one can install a local, un-packaged extension.
When in use, End-To-End provides a button in the browser's extension toolbar that provides access to a pop-up message composition window, a pop-up decryption window, and utility functions (which include key import). If you are logged in to a webmail client and composing a message, the composition window copies the current contents of the in-progress message into its own mini-composer; if the recipient's public key is in the keyring, End-To-End will use it when you click the "Protect this message" button (alternatively, you can enter the recipient's address within the mini-composer or encrypt the message with a passphrase). PGP signatures are also supported; one can even click the "Protect this message" button with no recipients included to add a PGP signature without encrypting the message's contents.
![[Message composition in End-To-End]](https://static.lwn.net/images/2014/06-ete-compose-sm.png)
However you choose to protect the message, clicking on the "Insert into the page" button copies the PGP-protected text back into the webmail composition window. Similarly, if you receive an encrypted message, the End-To-End menu button can copy its contents into its decryption window and unscramble it.
Users who are accustomed to PGP-style encryption will not find the process difficult. The first big question to answer when assessing the project's usefulness is whether or not End-To-End makes email encryption easier for anyone new to the subject. This is not easy to say; some might find the separate End-To-End window that hovers over the main webmail message composer a bit perplexing. Others might notice that if the browser tab loses focus, the End-To-End window and its contents vanish immediately.
Of course, there are security reasons for these behaviors: End-To-End does not work directly in the page contents so that it is isolated from other elements in the page (which, intentionally or not, could interfere and risk a security breach) and there are good reasons not to leave the contents of the window available if the user is away doing something else.
Security
The other big question concerning End-To-End is whether or not it is genuinely safe to use. In the blog announcement and on the project's home page, the team emphasizes that this is a project still in development and that the release is meant to attract more scrutiny of End-To-End's security. The page even asks developers not to download the code, compile it, and submit the result to the official Chrome extension "store," on the grounds that it still requires further vetting.
Historically, PGP encryption for webmail has been a thorny issue. One of the main reasons was that an encryption library (in JavaScript) delivered in a web page is regarded as suspect, since it (like other page content) could be modified by an attacker at the server (or even en-route), the content and the JavaScript execution environment can be modified by other JavaScript on the page, and there are potential information leaks (such as reliance on the JavaScript interpreter's garbage collection rather than any real "secure delete" facility).
But End-To-End does not rely on encryption routines or secrets sent with the page content itself. In that sense, it is as secure as composing a message in a text editor, encrypting it on the command line, then pasting it into the webmail client. There are still risks, of course, but the bigger concerns for a built-in PGP function or extension are concepts like key management and sandboxing—along with implementation details of the core routines, which still should be audited.
The project FAQ supplies a few basic answers to common questions. For example, as mentioned above, End-To-End uses a single keyring to store the user's private key and all collected public keys. The encryption keys are also stored in memory unencrypted, which the FAQ notes could mean that key material is sent to Google in a crash report if the browser's "send crash reports" feature is enabled. That is certainly a problem one would hope to see fixed before End-To-End becomes more widespread or a built-in feature.
As always, one is dependent on the browser's implementation of features like sandboxing and secure localStorage to be free of serious errors. Perhaps to that end, the blog post notes that End-To-End, although still experimental, is eligible for Google's vulnerability bounty program.
On the other hand, End-To-End does implement its own cryptographic functions and OpenPGP routines, rather than using an existing library like OpenPGP.js. Of course, OpenPGP.js may not be a widely-scrutinized project in the grand scheme of things; if Google chooses to invest further in End-To-End it could attract more eyes. But OpenPGP.js is already in use by other projects with similar aims, such as Mailvelope—which also has the advantage of being usable in Firefox as well as Chrome. If Google persists in maintaining End-To-End as a Chrome/Chromium-only tool, there would be competing implementations in webmail encryption, with the possibility of incompatibilities. As Enigmail has seen, even adhering to the relevant RFCs does not protect one from all possible compatibility problems.
Perhaps there are valid reasons for maintaining a new in-browser OpenPGP tool; End-To-End makes some implementation choices that other OpenPGP projects might not agree with. For example, it does not support fetching public keys from a keyserver (perhaps because doing so would complicate the sandboxing process). Similarly, End-To-End opts for a single passphrase for the entire keyring for the sake of simplicity, but not every user will find that trade-off worthwhile.
The landscape of webmail-encryption tools is sparse as it is; the other major approach is WebPG, which is built around the Netscape Plugin API (NPAPI) that, these days, is used less and less even by Mozilla. But WebPG does call out to the system's GnuPG library, which is ostensibly a more widely-tested PGP implementation than either End-To-End or OpenPGP.js. But even if the security community does thoroughly vet and enhance End-To-End's cryptographic features, as Google hopes it will, the project will still face the challenge of winning over a non-trivial percentage of webmail users. And that may be an unsolvable problem, regardless of the implementation details.
Brief items
Security quotes of the week
Cell phones differ in both a quantitative and a qualitative sense from other objects that might be kept on an arrestee’s person. The term “cell phone” is itself misleading shorthand; many of these devices are in fact minicomputers that also happen to have the capacity to be used as a telephone. They could just as easily be called cameras, video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, or newspapers.
So Americans, thankfully, are rational. Let’s hope that legislators and prosecutors start listening to their voters.
New vulnerabilities
castor: XML injection
| Package(s): | castor | CVE #(s): | CVE-2014-3004 | ||||||||||||||||
| Created: | June 20, 2014 | Updated: | December 31, 2014 | ||||||||||||||||
| Description: | From the CVE entry: The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
ctdb: insecure temporary files
| Package(s): | ctdb | CVE #(s): | CVE-2013-4159 | ||||||||||||||||
| Created: | June 25, 2014 | Updated: | March 30, 2015 | ||||||||||||||||
| Description: | From the openSUSE advisory:
ctdb was updated to version 2.3 to fix several temp file vulnerabilities | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
dbus: denial of service
| Package(s): | dbus | CVE #(s): | CVE-2014-3477 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 19, 2014 | Updated: | December 22, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
A denial of service vulnerability in D-Bus before 1.6.20 allows a local attacker to cause a bus-activated service that is not currently running to attempt to start, and fail, denying other users access to this service Additionally, in highly unusual environments the same flaw could lead to a side channel between processes that should not be able to communicate (CVE-2014-3477). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: code execution
| Package(s): | MozillaFirefox | CVE #(s): | CVE-2014-1539 CVE-2014-1543 | ||||||||||||||||
| Created: | June 20, 2014 | Updated: | June 25, 2014 | ||||||||||||||||
| Description: | From the CVE entry: Multiple heap-based buffer overflows in the navigator.getGamepads function in the Gamepad API in Mozilla Firefox before 30.0 allow remote attackers to execute arbitrary code by using non-contiguous axes with a (1) physical or (2) virtual Gamepad device. (CVE-2014-1543) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
foreman-proxy: shell command injection
| Package(s): | foreman-proxy | CVE #(s): | CVE-2014-0007 | ||||
| Created: | June 19, 2014 | Updated: | June 25, 2014 | ||||
| Description: | From the Red Hat advisory:
A shell command injection flaw was found in the way foreman-proxy verified URLs in the TFTP module. A remote attacker could use this flaw to execute arbitrary shell commands on the system with the privileges of the user running foreman-proxy. (CVE-2014-0007) | ||||||
| Alerts: |
| ||||||
gnupg: denial of service
| Package(s): | gnupg | CVE #(s): | CVE-2014-4617 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 25, 2014 | Updated: | April 23, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Slackware advisory:
This release includes a security fix to stop a denial of service using garbled compressed data packets which can be used to put gpg into an infinite loop. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
heat: information leak
| Package(s): | heat | CVE #(s): | CVE-2014-3801 | ||||||||
| Created: | June 19, 2014 | Updated: | October 23, 2014 | ||||||||
| Description: | From the Ubuntu advisory:
Jason Dunsmore discovered that OpenStack heat did not properly restrict access to template information. A remote authenticated attacker could exploit this to see URL provider templates of other tenants for a limited time. | ||||||||||
| Alerts: |
| ||||||||||
iodine: authentication bypass
| Package(s): | iodine | CVE #(s): | CVE-2014-4168 | ||||||||||||||||||||
| Created: | June 23, 2014 | Updated: | August 18, 2014 | ||||||||||||||||||||
| Description: | From the Debian advisory:
Oscar Reparaz discovered an authentication bypass vulnerability in iodine, a tool for tunneling IPv4 data through a DNS server. A remote attacker could provoke a server to accept the rest of the setup or also network traffic by exploiting this flaw. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2014-4014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 19, 2014 | Updated: | June 25, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From discoverer Andy Lutomirski's description:
The bug is that, if you created a user namespace and retained capabilities in that namespace, then you could use chmod to set the setgid bit on any file you owned, including files with, say, group 0. The impact depends on what files are available that have gids that shouldn't be available to the users who own the file. For example, the existence of a uid != 0, gid == 0 file would allow that uid to escalate privileges to gid 0, which is likely good enough for full root. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2014-0203 | ||||||||||||||||||||||||||||||||||||
| Created: | June 20, 2014 | Updated: | June 25, 2014 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: It was discovered that the proc_ns_follow_link() function did not properly return the LAST_BIND value in the last pathname component as is expected for procfs symbolic links, which could lead to excessive freeing of memory and consequent slab corruption. A local, unprivileged user could use this flaw to crash the system. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel: information disclosure
| Package(s): | kernel | CVE #(s): | CVE-2014-0206 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 25, 2014 | Updated: | July 25, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
It was found that the aio_read_events_ring() function of the Linux kernel's Asynchronous I/O (AIO) subsystem did not properly sanitize the AIO ring head received from user space. A local, unprivileged user could use this flaw to disclose random parts of the (physical) memory belonging to the kernel and/or other processes. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libreoffice: unexpected VBA macro execution
| Package(s): | libreoffice | CVE #(s): | CVE-2014-0247 | ||||||||||||||||||||||||||||
| Created: | June 23, 2014 | Updated: | July 3, 2014 | ||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that LibreOffice unconditionally executed certain VBA macros, contrary to user expectations. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
musl: code execution
| Package(s): | musl | CVE #(s): | CVE-2014-3484 | ||||
| Created: | June 19, 2014 | Updated: | June 25, 2014 | ||||
| Description: | From the Mageia advisory:
A remote stack-based buffer overflow has been found in musl libc's dns response parsing code. The overflow can be triggered in programs linked against musl libc and making dns queries via one of the standard interfaces (getaddrinfo, getnameinfo, gethostbyname, gethostbyaddr, etc.) if one of the configured nameservers in resolv.conf is controlled by an attacker, or if an attacker can inject forged udp packets with control over their contents. Denial of service is also possible via a related failure in loop detection (CVE-2014-3484). | ||||||
| Alerts: |
| ||||||
pdns: denial of service
| Package(s): | pdns | CVE #(s): | |||||
| Created: | June 23, 2014 | Updated: | June 25, 2014 | ||||
| Description: | From the Mageia advisory:
PowerDNS recursor is vulnerable to a denial of service due to a bug that causes it to exhaust the maximum number of file descriptors that are available to a process. | ||||||
| Alerts: |
| ||||||
rb_libtorrent: stop UPNP from opening port 0
| Package(s): | rb_libtorrent | CVE #(s): | |||||||||||||
| Created: | June 23, 2014 | Updated: | September 5, 2014 | ||||||||||||
| Description: | From the Fedora advisory:
stop UPNP from opening port 0 | ||||||||||||||
| Alerts: |
| ||||||||||||||
rubygem-openshift-origin-node: code execution
| Package(s): | rubygem-openshift-origin-node | CVE #(s): | CVE-2014-3496 | ||||||||||||
| Created: | June 19, 2014 | Updated: | June 25, 2014 | ||||||||||||
| Description: | From the Red Hat advisory:
A command injection flaw was found in rubygem-openshift-origin-node. A remote, authenticated user permitted to install cartridges via the web interface could use this flaw to execute arbitrary code with root privileges on the Red Hat OpenShift Enterprise node server. (CVE-2014-3496) | ||||||||||||||
| Alerts: |
| ||||||||||||||
samba: multiple vulnerabilities
| Package(s): | samba | CVE #(s): | CVE-2014-0178 CVE-2014-0244 CVE-2014-3493 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 23, 2014 | Updated: | July 31, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
CVE-2014-0178: Information leak vulnerability in the VFS code, allowing an authenticated user to retrieve eight bytes of uninitialized memory when shadow copy is enabled. CVE-2014-0244: Denial of service (infinite CPU loop) in the nmbd Netbios name service daemon. A malformed packet can cause the nmbd server to enter an infinite loop, preventing it to process later requests to the Netbios name service. CVE-2014-3493: Denial of service (daemon crash) in the smbd file server daemon. An authenticated user attempting to read a Unicode path using a non-Unicode request can force the daemon to overwrite memory at an invalid address. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
samba: denial of service
| Package(s): | samba | CVE #(s): | CVE-2014-0239 | ||||||||||||||||
| Created: | June 25, 2014 | Updated: | June 25, 2014 | ||||||||||||||||
| Description: | From the CVE entry:
The internal DNS server in Samba 4.x before 4.0.18 does not check the QR field in the header section of an incoming DNS message before sending a response, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged response packet that triggers a communication loop, a related issue to CVE-1999-0103. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
tomcat: multiple vulnerabilities
| Package(s): | tomcat | CVE #(s): | CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 25, 2014 | Updated: | February 23, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory: Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data (CVE-2014-0075). java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue (CVE-2014-0096). Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40 and 7.x before 7.0.53, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header (CVE-2014-0099). Apache Tomcat before 6.0.40 and 7.x before 7.0.54 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or read files associated with different web applications on a single Tomcat instance via a crafted web application (CVE-2014-0119). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
wireshark: denial of service
| Package(s): | wireshark | CVE #(s): | CVE-2014-4020 | ||||||||||||||||
| Created: | June 19, 2014 | Updated: | June 25, 2014 | ||||||||||||||||
| Description: | From the Mageia advisory:
The frame metadissector could crash (CVE-2014-4020). | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>