Created attachment 115220 [details] Testcase 'display name' Dear Trojitá Devs, In the scope of academic research we discovered a (minor) PGP signature validation issue in Trojitá based on how Trojitá matches a signed message to a sender's identity. *** Prerequirements *** This attack requires three parties: Alice, Bob and Eve. Bob trusts Alice and Eve. He has both public keys imported to be able to verify their PGP signed messages. The attacker -- Eve -- is successful if she can send an email signed by herself while Bob's mail client shows the email as signed by Alice on the first level of the UI -- i.e. by just viewing the email without further investigating the signature details or performing a forensic analysis. *** Attack Description *** When dealing with digital signatures, the question of *signed by whom* is an important one. If Bob's mail client simply displayed `valid signature' once a PGP signed message is received, Eve could sign her message and send it to Bob with Alice set as the sender. This is due to a lack of binding between the user ID derived from the PGP signature and the address given in the *From:* header. There are two options to handle this problem: First, a mail client can explicitly display the signer's identity somewhere in the UI and let the user compare it to the sender address. Secondly, a warning can be shown if the signer's identity (email address) does not equal the sender address as shown by the mail client. Trojitá choses the later option which is hard to implement in a secure way. *** Proof of Concept *** Please find attached various proof-of-concept emails which allows an attacker to gain a `valid signature' getting displayed by Trojitá even though the shown sender address does not equal the actual signer address. *** Countermeasures *** It can be considered as a good practice to explicitly show *signed-by-whom* directly in the UI when displaying a PGP signed message. A comparison to the *From:* or *Sender:* header fields may not be sufficient because this approach is error prone. Feel free to contact me for any questions. Greetings, Jens Mueller -- M.Sc. Jens Mueller Research Assistant Chair for Network and Data Security, Ruhr-University Universitaetsstr. 150 Building ID 2/415 D-44780 Bochum Phone: +49 (0) 234 / 32-29177
Created attachment 115221 [details] Testcase 'from sender, others: signer'
Created attachment 115222 [details] Testcase 'from sender, others: signer'
Created attachment 115223 [details] Testcase 'from1: sender, from2: signer'
Created attachment 115224 [details] Testcase 'from1: sender, from2: signer'
Hi Jens, first of all, thanks for including us in your research. I've tried to reproduce your finding, but I cannot obtain the pubkey 460E80E5FB7A6EED from the public keyservers. Trojita therefore shows just "Some signature: missing key" as a short summary, followed by a "Key 460E80E5FB7A6EED is not available in the keyring. Cannot verify signature validity or do anything else. The message might or might not have been tampered with." after a click-through. Can you please upload your public key somewhere so that we can take a look?
Hi Jan, Sry, uploaded the key to the keyservers. Greetings Jens
Jens, I've now fetched the keys from keyservers (it took them a few days to be reachable from any keyserver I tried, and then later I was AFK). Note that Trojita extracts From/Sender/etc fields via the IMAP server's BODYSTRUCTURE command. You might see different results from what I see because different servers parse garbage input in a different way. (As a side note, I do not think that *that* would be a security issue because e-mail headers are forgeable, anyway.) I locally signed the pubkey to make it "valid". After that, the first two test cases started showing a green marker for "valid signature". The remaining three show a warning about "signed by stranger" (probably due to the way how my IMAP server parses these headers). The green tick is shown for the first two test cases: 1) First one: To: brucewayne45@web.de From: The President <brucewayne45@web.de> Reply-to: The President <president@whitehouse.gov> Subject: Testcase 'trojita' 2) Second: To: brucewayne45@web.de From: president@whitehouse.gov Return-Path: brucewayne451@web.de Sender: iPhone <brucewayne45@web.de> Reply-to: president@whitehouse.gov Subject: Testcase #11 'from sender, others: signer' In other words, it only shows a green tick if any address in either the "From" or "Sender" fields match the e-mail in the signature. I think that the code is working as designed. It is designed that way to support workflows involving mailing lists and message bouncing. Trojita always unconditionally shows both Sender and From fields if they are present. Do you see a secutiry problem in here? What we could do is to always show the e-mail address which was matched. Would that make sense from your point of view?
Created attachment 115532 [details] Screenshots of testcases
Hi Jan, > You might see different results from what I see because > different servers parse garbage input in a different way. That's interesting, however I'd not rely on the config of the IMAP server for end-to-end security (which PGP is assumed to provide). > As a side note, I do not think that *that* would be a > security issue because e-mail headers are forgeable Absolutely, but a lot of users assume that PGP can exactly counter the problem of forgeable email headers using digital signatures (even though a binding between the From:/Sender: address and the email address in the matching PGP has never been defined in the OpenPGP standard). > Trojita always unconditionally shows both Sender and > From fields if they are present. Yes, but only the display name, not the actual email address. For me, the testcases look as shown in attachment 115532 [details]. > Do you see a security problem in here? Depends on your point of view. I would not say those issues are super-bad. However, if we really want to rely on PGP for critical tasks I'd say there is still room for improvement in the UI of mail clients. Assume you receive a signed email from you employer with testcase #2 which includes a task-to-be-done-immediately (e.g. "The President: >>launch missiles<<") -- you may be stressed and not look into the signature details and just do it... > What we could do is to always show the e-mail address > which was matched. Would that make sense from your > point of view? Yes, I think it's a good practice to explicitly show the email address of the matching key (if available) and therefore answer the signed-by-whom question (or at least deligate it back to the user). Greetings Jens
> That's interesting, however I'd not rely on the config of the > IMAP server for > end-to-end security (which PGP is assumed to provide). And we are not, which is why I also added that second sentence :). E-mail headers and ESMTP-level envelopes not being covered by PGP. The IMAP server "can lie to us", and I claim that this does not open any extra attack vector compared to, e.g., your ESMTP host maliciously mangling stuff on delivery. That was my point. > Depends on your point of view. I would not say those issues are super-bad. > However, if we really want to rely on PGP for critical tasks > I'd say there is > still room for improvement in the UI of mail clients. Assume you receive a > signed email from you employer with testcase #2 which includes a > task-to-be-done-immediately (e.g. "The President: >>launch > missiles<<") -- you > may be stressed and not look into the signature details and just do it... Thanks for reporting this. I think that adding the signer's recipient address into the "valid signature" area will be an improvement. For anybody reading this -- patches welcome, I will only have a chance to work on this in a week or two, I guess.