Serious vulnerabilities with OpenPGP and S/MIME
Serious vulnerabilities with OpenPGP and S/MIME
Posted May 14, 2018 14:23 UTC (Mon) by karkhaz (subscriber, #99844)Parent article: Serious vulnerabilities with OpenPGP and S/MIME
"Will signatures prevent these attacks?
No. PGP and S/MIME emails are displayed in the email program independently of whether or not they are signed or whether an existing signature is valid or not. Even if signatures did matter: an attacker can copy the altered ciphertext into a separate email and create a valid signature under his own name."
Therefore in addition, we need mail clients to warn the user if the email is signed by somebody other than the person in the sender field. Even then, the user might not notice if they were expecting email from larry@gmail.com and received email whose From: and signature are both from larry@gmail.corn, since they look fairly similar.
So in summary, mail clients could do this:
- If the email is encrypted but unsigned, don't decrypt the email and warn the user
- If the email is encrypted and the signature doesn't validate, don't decrypt the email and warn the user
- If the address of the signature is different from the From: field in the email header, don't decrypt the email and warn the user
- (paranoid level 11) if the address in the From: field is very similar to an address that you have already Trusted on First Use, then don't decrypt the email and warn the user.
Posted May 18, 2018 2:05 UTC (Fri)
by johnjones (guest, #5462)
[Link]
yes agree completely
good advice
- If the email is encrypted but unsigned, don't decrypt the email and warn the user
- If the email is encrypted and the signature doesn't validate, don't decrypt the email and warn the user
- If the address of the signature is different from the From: field in the email header, don't decrypt the email and warn the user
- (paranoid level 11) if the address in the From: field is very similar to an address that you have already Trusted on First Use, then don't decrypt the email and warn the user."