Efail or OpenPGP is safer than S/MIME

Andrew Gallagher andrewg at andrewg.com
Mon May 14 13:13:31 CEST 2018 

On 14/05/18 10:42, Robert J. Hansen wrote:
> ... Yep, GnuPG will warn you the message was not integrity protected.
> Your email client should see this warning and refuse to render the message.

I tried again using CAST5 instead of MD5 to bypass the smartcard bug.
The news is not good.

```
andrewg at fred:~$ gpg --recipient 0xFB73E21AF1163937 --cipher-algo CAST5
--disable-mdc --encrypt --sign --armor reply.txt
gpg: using "00CC54C6A0C601691AF4931FFB73E21AF1163937" as default secret
key for signing
File 'reply.txt.asc' exists. Overwrite? (y/N) y
andrewg at fred:~$ gpg reply.txt.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: encrypted with 4096-bit RSA key, ID 0x6B09069314549D4B, created
2013-07-02
      "Andrew Gallagher <andrewg at andrewg.com>"
File 'reply.txt' exists. Overwrite? (y/N)
Enter new filename: foo
gpg: Signature made Mon 14 May 2018 11:57:17 IST
gpg:                using RSA key 291E79A1DC55AE27A52EEF835C1EC404D5906629
gpg: Good signature from "Andrew Gallagher <andrewg at andrewg.com>" [ultimate]
gpg:                 aka "Andrew Gallagher <andrewg at llagher.net>" [ultimate]
gpg:                 aka "Andrew Gallagher <ab.gallagher at gmail.com>"
[ultimate]
gpg:                 aka "Andrew Gallagher
<andrew.gallagher at siren.solutions>" [ultimate]
gpg:                 aka "[jpeg image of size 18803]" [ultimate]
gpg:                 aka "Andrew Gallagher <andrew.gallagher at siren.io>"
[ultimate]
Primary key fingerprint: 00CC 54C6 A0C6 0169 1AF4  931F FB73 E21A F116 3937
     Subkey fingerprint: 291E 79A1 DC55 AE27 A52E  EF83 5C1E C404 D590 6629
gpg: WARNING: message was not integrity protected
```

So far so good - gnupg correctly throws a warning. But:

```
andrewg at fred:~$ cat reply.txt.asc | mailx andrewg at andrewg.com -s "test
message"
```

Now in Enigmail, I get a decrypted message with a green bar and no
warnings whatsoever:

```
Enigmail Security Info

Decrypted message
Good signature from Andrew Gallagher <andrewg at andrewg.com>
Key ID: 0xF1163937 / Signed on: 14/05/18, 11:57
Key fingerprint: 00CC 54C6 A0C6 0169 1AF4 931F FB73 E21A F116 3937

Used Algorithms: RSA and SHA512

Note: The message is encrypted for the following User ID's / Keys:
  0x6B09069314549D4B (Andrew Gallagher <andrewg at andrewg.com>)
```

So it would appear that Enigmail IS VULNERABLE.

I have reproduced this on debian's 2:1.9.9-1~deb9u1 (v1.9.9) and 2.0.3
on Mac. By comparison, the default cipher (AES) correctly throws a
decryption error in enigmail using the same test systems.

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180514/a661d677/attachment-0001.sig>

More information about the Gnupg-users mailing list