|
|
Subscribe / Log in / New account

OpenPGP signature spoofing using HTML

October 11, 2018

This article was contributed by Hanno Böck

Beyond just encrypting messages, and thus providing secrecy, the OpenPGP standard also enables digitally signing messages to authenticate the sender. Email applications and plugins usually verify these signatures automatically and will show whether an email contains a valid signature. However, with a surprisingly simple attack, it's often possible to fool users by faking — or spoofing — the indication of a valid signature using HTML email.

For example, until version 2.0.7, the Enigmail plugin for Mozilla Thunderbird displayed a correct and fully trusted signature as a green bar above the actual mail content. The problem: when HTML mails are enabled this part of the user interface can be fully controlled by the mail sender. Below is an image of real signed message in Enigmail:

[Enigmail real signature]

The signature below has been faked:

[Enigmail fake signature]

Thus an attacker can simply fake a signature by crafting an HTML mail that will display the green bar. This can, for example, be done by using a screen shot of a valid signature and embedding it as an image. The attack isn't perfect: in addition to the green bar, Enigmail shows an icon of a sealed letter in the header part of the mail. That part can't be faked. However the green bar is the much more visible indicator. It's plausible to assume that many users would fall for such a fake.

After learning about this attack, the Enigmail developers changed the behavior in version 2.0.8, which was released in August. Enigmail now displays the security indicator above the mail headers and thus outside of an attacker's control.

[Enigmail fix]

Perfect fakes

An even better fake can be achieved in the KDE application KMail. Signed mail in KMail is framed with a green bar above and below the mail. This can easily be recreated with an HTML table. If the message is viewed in a separate window, the fake is indistinguishable from a proper signature. Only a look into the message overview can uncover the fake: an icon indicates a signed mail.

Similar attacks are possible in other mail clients, too. In GNOME's Evolution, a green bar is displayed below the mail, but a faked signature has some minor display issues due to a border drawn around the mail content. A plugin for the web-mail client, Roundcube, is similarly vulnerable. In many cases, signatures using S/MIME are also vulnerable.

The examples mentioned all rely on HTML mail to fake signature indicators. HTML mail is often seen as a security risk, which was particularly highlighted by the EFAIL attack that was published by a research team earlier this year. EFAIL relied largely on HTML mail as a way to exfiltrate decrypted message content. Security-conscious users often disable the display of HTML mail, but all of the mail clients mentioned have the automatic display of HTML messages enabled by default.

In the GPGTools plugin for Apple Mail, this kind of attack was not possible using the same technique. The indication of a valid signature is displayed as a pseudo-header. A correctly signed mail contains a header indicating "Security: Signed" below the "To:" field. Since the mail headers are clearly separate from the mail content it's not possible to use HTML mail to achieve anything here. However, it turns out that it's possible to inject additional lines into the "Subject:" header that look like an additional mail header. This can be achieved in two ways: either by encoding a newline character in the subject line or by sending multiple subject headers within one mail.

Despite being able to inject additional fake mail headers, the attacker can't inject headers below the "To:" line. Thus, the order of the headers is not correct in a fake created with this trick. The pseudo-header also contains an icon: a check mark in a circle. While some similar characters exist in the Unicode standard, this exact icon cannot be replicated by an attacker.

Despite the shortcomings of this attack, the developers of GPGTools released an update that avoids this attack vector. Apple has not yet commented on the issue that, at its core, is a bug in Apple Mail, which should not allow multi-line subjects.

Text fakes

The text-mode client Mutt naturally isn't vulnerable to HTML-based attacks. Yet the most prominent indication of a signed message in Mutt is simply the output of the GPG verification command within the mail. One can easily send this output as part of the mail body. However, at the bottom of the screen, there is a message confirming the signature that cannot be faked. Here we see a real signature verification in Mutt:

[Mutt real signature]

And here is an example of a faked signature verification:

[Mutt fake signature]

When asked about this in email, a Mutt developer confirmed that the developers are aware of the issue and that several mitigations exist. Notably, enabling colors for signed messages makes this attack almost useless, as an attacker can't change colors of a mail in Mutt's standard settings.

It's worth mentioning that all these attacks require the attacker to know details about the victim's system, in particular, the mail client they use. However this information often isn't secret. Many mail clients routinely include the "X-Mailer:" header that specifies which mail client and version was used.

User-interface attacks

The attacks on signatures are a case of user-interface (UI) attacks. These don't just affect mail clients, they can happen anywhere that an attacker can potentially influence the look of some UI element.

In the past it was possible to fake a browser's URL-entry bar in a popup. This is prevented in modern browsers; all browser windows — including popups — always contain a real URL bar. Yet similar attacks remain possible on mobile browsers [PDF]. Other attacks of that kind are still possible. One is the picture-in-picture attack, where a web page may simply draw a new window that looks just like a whole browser within the page. Such a trick was recently used in an attempt to phish Steam user accounts.

UI attacks are nothing new, but they haven't been properly investigated in the email space until recently. The first defense is obvious: the security indicators need to be moved out of the attacker-controlled space. For users, disabling HTML mail display and promptly applying security updates to mail-handling programs — good security practices in any case — are the best ways to avoid these fakes.

[I presented this attack in a lightning talk at the SEC-T conference [YouTube] and was interviewed afterward [YouTube] for a podcast.]


Index entries for this article
SecurityEncryption/Email
SecurityVulnerabilities/UI spoofing
GuestArticlesBöck, Hanno

to post comments

OpenPGP signature spoofing using HTML

Posted Oct 11, 2018 19:05 UTC (Thu) by marduk (subscriber, #3831) [Link] (2 responses)

I wonder if UAs should, in addition to showing when a message is signed, show when a message is *not* signed. If you get two different messages, you can deduce it is fake.

OpenPGP signature spoofing using HTML

Posted Oct 12, 2018 7:33 UTC (Fri) by niner (subscriber, #26151) [Link]

That sounds like an excellent idea!

FWIW I've been running kmail with "Prefer HTML to plain text" in the security settings disabled for years. Thus I have to actively click to enable HTML layouting when viewing an email. For the vast majority of emails that's not necessary as the text version is just fine and I get the rare signature information before there's any chance of spoofing. It's just the occasional booking confirmation or newsletter that comes with a useless text version. I can live with that very well.

OpenPGP signature spoofing using HTML

Posted Oct 12, 2018 15:59 UTC (Fri) by darnir (subscriber, #111258) [Link]

This is indeed a good idea. Another is for UAs to display the signature status in a location where the mail body / headers cannot affect it. For example, in Mutt, irrespective of whether the signature is valid or not, I can see that a signature was attached.

Now, if the signature was invalid, I would see 2 outputs which is immediately a red flag. And if I see a valid signature output but the mail status shows that no signature file was attached, I once again know that there is something fishy going on

OpenPGP signature spoofing using HTML

Posted Oct 12, 2018 8:41 UTC (Fri) by revmischa (guest, #74786) [Link]

I mean... okay... cool?

OpenPGP signature spoofing using HTML

Posted Oct 12, 2018 19:27 UTC (Fri) by jond (subscriber, #37669) [Link]

I'm reminded of filing (or imagining I was filing) a wishlist bug for mutt, to be able to move the GPG verification to a sub-process, and update the displayed mail once it had completed, for signed but not encrypted mails at least (the vast majority I read). Quite frequently I must wait a long time for a mail to display if GPG has decided to update it's trust or whatever internal thing it is doing. This is apparently very challenging with the present mutt architecture.

OpenPGP signature spoofing using HTML

Posted Oct 13, 2018 16:53 UTC (Sat) by biergaizi (subscriber, #92498) [Link]

I think the "(current time)" display in mutt's output is meant as a way to detect this attack, at least in principle.

OpenPGP signature spoofing using HTML

Posted Oct 15, 2018 19:35 UTC (Mon) by sune (subscriber, #40196) [Link] (3 responses)

Another thing that one should also remember here is that only parts of an email might be signed.

In these various user interfaces, which of them also shows that?

OpenPGP signature spoofing using HTML

Posted Oct 15, 2018 23:53 UTC (Mon) by karkhaz (subscriber, #99844) [Link] (2 responses)

Mutt does. The situation you're describing commonly happens with emails from mailing lists, usually the author's original email is signed by them, but the mailing list software attaches a footer at the end. Here's what it looks like (author lightly redacted, although this was posted to a public mailing list):

Date: Wed, 29 Aug 2018 18:07:20 +0200
From: Alice Bobbins via llvm-devmeeting <llvm-devmeeting@lists.llvm.org>
To: llvm-devmeeting@lists.llvm.org
Subject: [llvm-devmeeting] Reserved speaker slots
User-Agent: Mutt/1.5.24 (2015-08-30)

[-- Attachment #1 --]
[-- Type: multipart/signed, Encoding: 7bit, Size: 1.6K --]

[-- Begin signature information --]
Good signature from: Alice Bobbins <bobbins@mpi-inf.mpg.de>
                aka: Alice Bobbins <alice@abobbins.de>
            created: Wed 29 Aug 2018 17:07:20 BST
WARNING: It is NOT certain that the key belongs to the person named as shown
above
Fingerprint: BDC2 D66D AC0C 846A 1988  0149 EE2C F631 81ED D94A
[-- End signature information --]

[-- The following data is signed --]

Quick question: The webpage does not mention the reserved registration
(as I think it used to in recent years). Is below quote from the CfP
still valid or did we eliminate reserved slots for speakers?

Thanks in advance,
  Alice

-- 
Alice Bobbins
Compiler engineer
University of Timbuktu


[-- End of signed data --]

[-- Attachment #2 --]
[-- Type: text/plain, Encoding: base64, Size: 0.2K --]

_______________________________________________
llvm-devmeeting mailing list
llvm-devmeeting@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-devmeeting
- s - 5427/5756: Alice Bobbins via   [llvm-devmeeting] Reserved spea -- (end)
Bottom of message is shown.
Warning: Part of this message has not been signed.
All lines beginning with [-- are not part of the email and are displayed in bold white (on a dark terminal). Similarly, the last line is the status bar and is displayed in cyan, and the signature information is also in a different colour.

OpenPGP signature spoofing using HTML

Posted Oct 17, 2018 17:19 UTC (Wed) by iam.TJ (guest, #56644) [Link] (1 responses)

The problem with using colours, especially in a text console application, is how a visually impaired person can be clearly notified of the security status.

When the information is presented in-line a screen-reader or braille display is not going to be able to differentiate.

Signature presence and verification ought to be presented out-of-band - outside the body of the email and where it cannot be faked.

OpenPGP signature spoofing using HTML

Posted Oct 18, 2018 12:15 UTC (Thu) by karkhaz (subscriber, #99844) [Link]

I'm not familiar with how braille displays render console output, but in the example I showed above the out-of-band information is the last line of text: that line always contains a status bar, and emails cannot write arbitrary text into it.

Does a braille display exactly copy the spacial layout of a terminal, such that the lowest line of the terminal sits at the bottom of the display? If so, then this still works. Otherwise, I'm not sure what the general solution is for out-of-band signalling that also works for visually impaired people. Note that when I said "bright white", what this really means is that text that mutt injects into the email is marked up with the bold attribute for terminal display (as opposed to regular email text, which has no formatting). So for this particular use case, it would suffice if a braille display could somehow indicate to its user that some range of text is 'bold' or otherwise important, no need for various colours.

OpenPGP signature spoofing using HTML

Posted Oct 18, 2018 9:42 UTC (Thu) by skx (subscriber, #14652) [Link]

This is an interesting topic, and it contains something I'd never thought about.

My own console-based mail-client shows the output of GPG-signatures in the header-area which can't be faked.

So it seems like I'm safe, but largely by accident.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds