Efail: Breaking S/MIME and OpenPGP Encryption using Exfiltration Channels
Münster 应用科学大学计算机科学教授 Sebastian Schinzel 发出警告 (https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/)，两大最流行的电子邮件加密方法——PGP 和 S/MIME——都易于受攻击，能暴露加密消息的明文。他声称目前没有可靠的修复之法，建议使用者立即卸载。他声称漏洞也能用于暴露用户过去发送的加密邮件。电子前哨基金会（EFF）也在博客 (https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now)上表示他们已经确认这些漏洞对使用者构成了紧迫的危险，它建议立即停用或卸载自动加密电子邮件的工具。他们的建议只涉及在电子邮件中整合 PGP 加密的插件，而不是独立应用如 Gpg4win 和 GNU Privacy Guard。目前漏洞细节没有披露。
然后查了一下事件起末，在推里发现了个 GnuPG 的声明（我贴了完整版）：
GnuPG has an official statement out. (ObDisclosure: I was the principal author.)
(This statement is only about the susceptibility of OpenPGP, GnuPG, andGpg4Win. It does not cover S/MIME.)
Recently some security researchers published a paper named “Efail:
Breaking S/MIME and OpenPGP Encryption using Exfiltration Channels”. The EFF has gone so far as to recommend immediately uninstalling Enigmail. We have three things to say, and then we’re going to show you why we’re right.
This paper is misnamed.
This attack targets buggy email clients.
The authors made a list of buggy email clients.
In 1999 we realized OpenPGP’s symmetric cipher mode (a variant of cipher feedback) had a weakness: in some cases an attacker could modify text. As Werner Koch, the founder of GnuPG, put it: “[Phil Zimmermann] and Jon Callas asked me to attend the AES conference in Rome to discuss problems with the CFB mode which were on the horizon. That discussion was in March 1999 and PGP and GnuPG implemented a first version [of our countermeasure] about a month later. According to GnuPG’s NEWS file, [our countermeasure] went live in Summer 2000.”
The countermeasure Werner mentions is called a Modification Detection Code, or MDC. It’s been a standard part of GnuPG for almost eighteen years. For almost all that time, any message which does not have an MDC attached has caused GnuPG to throw up big, clear, and obvious warning messages. They look something like this:
[long GnuPG output snipped for brevity – see my prior tweet for a sample screenshot]
GnuPG also throws large warning messages if an MDC indicates a message has been modified. In both cases, if your email client respects this warning and does the right thing – namely, not showing you the email – then you are completely protected from the Efail attack, as it’s just a modern spin on something we started defending against almost twenty years ago.
If you’re worried about the Efail attack, upgrade to the latest version of GnuPG and check with your email plugin vendor to see if they handle MDC errors correctly. Most do.
You might be vulnerable if you’re running an ancient version of GnuPG (the 1.0 series; the current is 2.2), or if your email plugin doesn’t handle GnuPG’s warning correctly. You might also have had some exposure in the past if back then you used a pre-2000 version of GnuPG, and/or an email plugin which didn’t handle the warning correctly. We made three statements about the Efail attack at the beginning. We’re going to repeat them here and give a little explanation. Now that we’ve explained the situation, we’re confident you’ll concur in our judgment.
This paper is misnamed. It’s not an attack on OpenPGP. It’s an attack on broken email clients that ignore GnuPG’s warnings and do silly things after being warned.
This attack targets buggy email clients. Correct use of the MDC completely prevents this attack. GnuPG has had MDC support since the summer of 2000.
The authors made a list of buggy email clients. It’s worth looking over their list of email clients (found at the very end) to see if yours is vulnerable. But be careful, because it may not be accurate – for example, Mailpile says they’re not vulnerable, but the paper indicates Mailpile has some susceptibility.
The authors have done the community a good service by cataloguing buggy email email clients. We’re grateful to them for that.
We do wish, though, this thing had been handled with a little less hype. A whole lot of people got scared, and over very little.