A problem related to a widely used open-source cryptography technology could let miscreants tamper with digitally signed and encrypted e-mails.
The problem lies in how certain e-mail applications display messages signed using the GNU Privacy Guard, also known as GnuPG and GPG, the GnuPG group said in a security alert Tuesday. It may not be possible to identify which part of a message is actually signed if GPG is not used correctly, it said.
"It is possible to insert additional text before or after a signed, or signed and encrypted, OpenPGP message and make the user believe that this additional text is also covered by the signature," according to the alert.
Several open-source e-mail clients are affected by this latest issue, according to security company Core Security Technologies, which discovered the issue. The list of affected applications includes KDE's KMail, Novell's Evolution, Sylpheed, Mutt and GnuMail.org, according to Core. Enigmail, an extension to the Mozilla mail clients, is also vulnerable, the security research company said.
"It is important to note that this is not a cryptographic problem. It affects how information is presented to the user and how third-party applications interact with GnuPG," Core said in an alert.
In addition to adding content to seemingly secure e-mails, attackers can exploit the problem to bypass content-filtering defenses such as antispam mechanisms, Core said.
GnuPG is a free replacement for the Pretty Good Privacy cryptographic technology. An e-mail that uses OpenPGP cryptography can be made up of multiple sections, not all of which need to be signed or encrypted. E-mail programs that do not correctly interpret the message could indicate that a message is fully secure when, in fact, it is not.
"You see the pretty icon telling you that the whole message is encrypted and signed, whereas there is a section of it--text, image, binary, whatever--which isn't," Arrigo Triulzi, a SANS Internet Storm Center staffer, wrote on the organization's blog.
The GnuPG group has issued updates to prevent tampering with signed or encrypted messages, but it notes that individual e-mail applications might need updating as well, to correctly display signed messages after applying the GPG update.
"After applying one of these patches, some vulnerable applications may fail to handle certain messages," the GnuPG alert states. "Fixing the application is required, as there is no way for GnuPG to do it."
Core also published a work-around to help users detect and prevent exploitation. If a signed message looks suspicious, the validity of the signature can be verified by manually invoking GnuPG from the command line and adding the special option "--status-fd" to gain extra information, Core suggested.
May expose ENCRYPTED e-mail? This is a signing flaw, it won't expose the key. It's the same flaw from last year, where you put more text past the signed message body. You can't insert it in the middle of the message even!
If you come across an encrypted message, good for you. You can't read it. This flaw would allow you to... make the message show more text at the end, before or after being decrypted (the encrypted mail looks like a block of junk, then below you see the inserted extra message; decrypted, the block of junk becomes the original message and the inserted message stays).
The issue was beaten before many time. This is not problem with GPG - this is problem with mail relays which try to insert their stuff into mail incorrectly, often resulting in unencryptable mail.
And that's why GPG is lax on when it comes to mails with both unencrypted/unsigned and encrypted/signed parts.
This is not problem of GPG per se - this is problem (again!) of SMTP protocol used to deliver mail.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
May expose ENCRYPTED e-mail? This is a signing flaw, it won't expose the key. It's the same flaw from last year, where you put more text past the signed message body. You can't insert it in the middle of the message even!
If you come across an encrypted message, good for you. You can't read it. This flaw would allow you to... make the message show more text at the end, before or after being decrypted (the encrypted mail looks like a block of junk, then below you see the inserted extra message; decrypted, the block of junk becomes the original message and the inserted message stays).
And that's why GPG is lax on when it comes to mails with both unencrypted/unsigned and encrypted/signed parts.
This is not problem of GPG per se - this is problem (again!) of SMTP protocol used to deliver mail.
Get with it people... this is not headline news... it's Old info at best!!!
FWIW