-
-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should To and Cc header fields be protected? #4223
Comments
Related: #4221 |
Related config:
|
The worst part of this bug is that Bob will assume that Alice CCed Mallory, and when Alice receives Bob's reply, Alice will also likely assume that Bob added Mallory to CC, so it's very likely that none of them would realize that Mallory added himself to the conversation maliciously. |
I think this deserves not only making To and Cc protected headers, but also change the default to protect headers. Not protecting headers is an insecure default, which is a bad thing, when dealing with crypto stuff. Consider users who may not know about the existence of this issue, or about the existence of the |
Show a block of information about the encryption of a message, which includes the recipients that can decrypt the message. This info isn't necessarily complete: the sender could hide some recipients, so that they are able to decrypt the message, but aren't listed. See gpg(1) options --recipient and --hidden-recipient. I'm not sure, but I suspect a malicious sender could also add fake recipients, which are listed, but cannot really decrypt the message. Therefore, this should be taken only as an informative block, and with a pinch of salt. It would be good to protect the To and Cc header fields, to provide a guarantee to the recipient that the listed recipients match the original recipients as intended by the sender. See the bug neomutt#4223 linked below. Closes: <neomutt#4163> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Public%20Key%20Algorithms> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Decrypt> Link: <https://linux.codidact.com/posts/291205> Link: <neomutt#4223> Co-developed-by: Richard Russon <rich@flatcap.org> Cc: Werner Koch <wk@gnupg.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
Show a block of information about the encryption of a message, which includes the recipients that can decrypt the message. This info isn't necessarily complete: the sender could hide some recipients, so that they are able to decrypt the message, but aren't listed. See gpg(1) options --recipient and --hidden-recipient. I'm not sure, but I suspect a malicious sender could also add fake recipients, which are listed, but cannot really decrypt the message. Therefore, this should be taken only as an informative block, and with a pinch of salt. It would be good to protect the To and Cc header fields, to provide a guarantee to the recipient that the listed recipients match the original recipients as intended by the sender. See the bug neomutt#4223 linked below. Closes: <neomutt#4163> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Public%20Key%20Algorithms> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Decrypt> Link: <https://linux.codidact.com/posts/291205> Link: <neomutt#4223> Co-developed-by: Richard Russon <rich@flatcap.org> Cc: Werner Koch <wk@gnupg.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
Show a block of information about the encryption of a message, which includes the recipients that can decrypt the message. This info isn't necessarily complete: the sender could hide some recipients, so that they are able to decrypt the message, but aren't listed. See gpg(1) options --recipient and --hidden-recipient. I'm not sure, but I suspect a malicious sender could also add fake recipients, which are listed, but cannot really decrypt the message. Therefore, this should be taken only as an informative block, and with a pinch of salt. It would be good to protect the To and Cc header fields, to provide a guarantee to the recipient that the listed recipients match the original recipients as intended by the sender. See the bug neomutt#4223 linked below. Closes: <neomutt#4163> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Public%20Key%20Algorithms> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Decrypt> Link: <https://linux.codidact.com/posts/291205> Link: <neomutt#4223> Co-developed-by: Richard Russon <rich@flatcap.org> Cc: Werner Koch <wk@gnupg.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
For messages without Cc, there should be an empty |
They are part of the crypto message, which means the sender considers them part of the important data, and should not be carelessly weeded. Link: <neomutt#4223> Link: <neomutt#4226> Signed-off-by: Alejandro Colomar <alx@kernel.org>
There are several attacks that are possible if the To or Cc fields are not protected. One of them is: - The metadata of a signed+encrypted message can be modified (without decrypting it), to add a mallicious recipient. Subsequent replies to the thread will likely also encrypt to the mallicious recipient, disclosing secret data. The "From" isn't strictly necessary, as the signature will specify an address, but it doesn't hurt either, and since the public key may have several IDs, this makes sure that the message contains the one that the sender wants to use. Read the links below for a more detailed explanation of the problem. To be paranoic, we might want to also protect other address lists, like "Reply-To". That would need more careful analysis, and also implies more noise in the pager, so I'm not convinced. Link: <neomutt#4223> Link: <neomutt#4226> Signed-off-by: Alejandro Colomar <alx@kernel.org>
They are part of the crypto message, which means the sender considers them part of the important data, and should not be carelessly weeded. Link: <neomutt#4223> Link: <neomutt#4226> Signed-off-by: Alejandro Colomar <alx@kernel.org>
There are several attacks that are possible if the To or Cc fields are not protected. One of them is: - The metadata of a signed+encrypted message can be modified (without decrypting it), to add a mallicious recipient. Subsequent replies to the thread will likely also encrypt to the mallicious recipient, disclosing secret data. The "From" isn't strictly necessary, as the signature will specify an address, but it doesn't hurt either, and since the public key may have several IDs, this makes sure that the message contains the one that the sender wants to use. Read the links below for a more detailed explanation of the problem. To be paranoic, we might want to also protect other address lists, like "Reply-To". That would need more careful analysis, and also implies more noise in the pager, so I'm not convinced. Link: <neomutt#4223> Link: <neomutt#4226> Signed-off-by: Alejandro Colomar <alx@kernel.org>
There are several attacks that are possible if the To or Cc fields are not protected. One of them is: - The metadata of a signed+encrypted message can be modified (without decrypting it), to add a malicious recipient. Subsequent replies to the thread will likely also encrypt to the mallicious recipient, disclosing secret data. The "From" isn't strictly necessary, as the signature will specify an address, but it doesn't hurt either, and since the public key may have several IDs, this makes sure that the message contains the one that the sender wants to use. Read the links below for a more detailed explanation of the problem. To be paranoic, we might want to also protect other address lists, like "Reply-To". That would need more careful analysis, and also implies more noise in the pager, so I'm not convinced. Link: <neomutt#4223> Link: <neomutt#4226> Signed-off-by: Alejandro Colomar <alx@kernel.org>
There are several attacks that are possible if the To or Cc fields are not protected. One of them is: - The metadata of a signed+encrypted message can be modified (without decrypting it), to add a malicious recipient. Subsequent replies to the thread will likely also encrypt to the malicious recipient, disclosing secret data. The "From" isn't strictly necessary, as the signature will specify an address, but it doesn't hurt either, and since the public key may have several IDs, this makes sure that the message contains the one that the sender wants to use. Read the links below for a more detailed explanation of the problem. To be paranoic, we might want to also protect other address lists, like "Reply-To". That would need more careful analysis, and also implies more noise in the pager, so I'm not convinced. Link: <neomutt#4223> Link: <neomutt#4226> Signed-off-by: Alejandro Colomar <alx@kernel.org>
They are part of the crypto message, which means the sender considers them part of the important data, and should not be carelessly weeded. Link: <neomutt#4223> Link: <neomutt#4226> Signed-off-by: Alejandro Colomar <alx@kernel.org>
There are several attacks that are possible if the To or Cc fields are not protected. One of them is: - The metadata of a signed+encrypted message can be modified (without decrypting it), to add a malicious recipient. Subsequent replies to the thread will likely also encrypt to the malicious recipient, disclosing secret data. The "From" isn't strictly necessary, as the signature will specify an address, but it doesn't hurt either, and since the public key may have several IDs, this makes sure that the message contains the one that the sender wants to use. Read the links below for a more detailed explanation of the problem. To be paranoic, we might want to also protect other address lists, like "Reply-To". That would need more careful analysis, and also implies more noise in the pager, so I'm not convinced. Link: <neomutt#4223> Link: <neomutt#4226> Signed-off-by: Alejandro Colomar <alx@kernel.org>
Fun fact: Old mutt(1) has a bug by which it injects To (and a few other header fields) into the protected header. However, it's just a bug; probably they forgot to clear some structure. It's clearly a bug, however, because mutt(1) never reads that back on the receiving side. It only presents the non-protected headers. So, a malicious actor can preserve the protected headers (so gpg(1) will accept the signature), modify the non-protected ones, and trick the recipient to trust the mail. Since mutt(1) doesn't show the protected To, the user cannot know about it. |
Show a block of information about the encryption of a message, which includes the recipients that can decrypt the message. This info isn't necessarily complete: the sender could hide some recipients, so that they are able to decrypt the message, but aren't listed. See gpg(1) options --recipient and --hidden-recipient. I'm not sure, but I suspect a malicious sender could also add fake recipients, which are listed, but cannot really decrypt the message. Therefore, this should be taken only as an informative block, and with a pinch of salt. It would be good to protect the To and Cc header fields, to provide a guarantee to the recipient that the listed recipients match the original recipients as intended by the sender. See the bug neomutt#4223 linked below. Closes: <neomutt#4163> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Public%20Key%20Algorithms> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Decrypt> Link: <https://linux.codidact.com/posts/291205> Link: <neomutt#4223> Co-developed-by: Richard Russon <rich@flatcap.org> Cc: Werner Koch <wk@gnupg.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
I think I'll end up protecting every AddressList in the Envelope structure. |
Show a block of information about the encryption of a message, which includes the recipients that can decrypt the message. This info isn't necessarily complete: the sender could hide some recipients, so that they are able to decrypt the message, but aren't listed. See gpg(1) options --recipient and --hidden-recipient. I'm not sure, but I suspect a malicious sender could also add fake recipients, which are listed, but cannot really decrypt the message. Therefore, this should be taken only as an informative block, and with a pinch of salt. It would be good to protect the To and Cc header fields, to provide a guarantee to the recipient that the listed recipients match the original recipients as intended by the sender. See the bug neomutt#4223 linked below. Closes: <neomutt#4163> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Public%20Key%20Algorithms> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Decrypt> Link: <https://linux.codidact.com/posts/291205> Link: <neomutt#4223> Co-developed-by: Richard Russon <rich@flatcap.org> Cc: Werner Koch <wk@gnupg.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
bcc leakage!This isn't a bug in your changes, just a general feature of (Neo)Mutt. Experimenting with both your PRs (#4221, #4227)... I sent a signed/encrypted email to multiple recipients: Compose
Note, I have: Email arrived (annotated with key owners)
NeoMutt effectively encrypts like Can we change the behaviour to mimic |
Hmmm!
Seems good. The delivered message doesn't show the BCC.
Seems bad, but can be expected: we only encrypt once.
And seems good. The protected headers don't show the BCC. It's just the list of encryption recipients.
We could fix it in several ways:
The first one is what you suggest. At first glance, I agree, as I think it will be simpler to implement. (I've copied the info from here into a new bug report.) |
Link: <neomutt#4236> Link: <neomutt#4223> Link: <neomutt#4226> Reviewed-by: наб <nabijaczleweli@nabijaczleweli.xyz> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
... except Bcc, for obvious reasons. There are several attacks that are possible if the To, Cc, and similar header fields are not protected. One of them is: - The metadata of a signed+encrypted message can be modified (without decrypting it), to add a malicious recipient. Subsequent replies to the thread will likely also encrypt to the malicious recipient, disclosing secret data. Read the links below for a more detailed explanation of the problem. Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
This function copies a src ListHead at the tail of a dst ListHead. This is similar to mutt_addrlist_copy(), but for ListHead. Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
Move some code out of a conditional, to add support for other protected headers in the following commits. Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
…ists Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
This function writes a list to a buffer. It is similar to mutt_addrlist_write(), but simpler, and for ListHead. Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
…fields Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
Show a block of information about the encryption of a message, which includes the recipients that can decrypt the message. This info isn't necessarily complete: the sender could hide some recipients, so that they are able to decrypt the message, but aren't listed. See gpg(1) options --recipient and --hidden-recipient. I'm not sure, but I suspect a malicious sender could also add fake recipients, which are listed, but cannot really decrypt the message. Therefore, this should be taken only as an informative block, and with a pinch of salt. It would be good to protect the To and Cc header fields, to provide a guarantee to the recipient that the listed recipients match the original recipients as intended by the sender. See the bug neomutt#4223 linked below. Closes: <neomutt#4163> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Public%20Key%20Algorithms> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Decrypt> Link: <https://linux.codidact.com/posts/291205> Link: <neomutt#4223> Co-developed-by: Richard Russon <rich@flatcap.org> Cc: Werner Koch <wk@gnupg.org> Cc: наб <nabijaczleweli@nabijaczleweli.xyz> Signed-off-by: Alejandro Colomar <alx@kernel.org>
Show a block of information about the encryption of a message, which includes the recipients that can decrypt the message. This info isn't necessarily complete: the sender could hide some recipients, so that they are able to decrypt the message, but aren't listed. See gpg(1) options --recipient and --hidden-recipient. I'm not sure, but I suspect a malicious sender could also add fake recipients, which are listed, but cannot really decrypt the message. Therefore, this should be taken only as an informative block, and with a pinch of salt. It would be good to protect the To and Cc header fields, to provide a guarantee to the recipient that the listed recipients match the original recipients as intended by the sender. See the bug neomutt#4223 linked below. Closes: <neomutt#4163> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Public%20Key%20Algorithms> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Decrypt> Link: <https://linux.codidact.com/posts/291205> Link: <neomutt#4223> Co-developed-by: Richard Russon <rich@flatcap.org> Cc: Werner Koch <wk@gnupg.org> Cc: наб <nabijaczleweli@nabijaczleweli.xyz> Signed-off-by: Alejandro Colomar <alx@kernel.org>
... except Bcc, for obvious reasons. There are several attacks that are possible if the To, Cc, and similar header fields are not protected. One of them is: - The metadata of a signed+encrypted message can be modified (without decrypting it), to add a malicious recipient. Subsequent replies to the thread will likely also encrypt to the malicious recipient, disclosing secret data. Read the links below for a more detailed explanation of the problem. Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
This function copies a src ListHead at the tail of a dst ListHead. This is similar to mutt_addrlist_copy(), but for ListHead. Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
Move some code out of a conditional, to add support for other protected headers in the following commits. Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
…ists Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
This function writes a list to a buffer. It is similar to mutt_addrlist_write(), but simpler, and for ListHead. Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
…fields Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
Protected header fields are part of the crypto message, which means the sender considers them part of the important data, and should not be carelessly weeded. If the user want to do it, allow them via this variable, but default to not weeding them. Link: <neomutt#4223> Link: <neomutt#4226> Link: <neomutt#4227> Link: <neomutt#4236> Link: <neomutt#4237> Cc: Richard Russon <rich@flatcap.org> Reviewed-by: наб <nabijaczleweli@nabijaczleweli.xyz> Cc: Pietro Cerutti <gahr@gahr.ch> Signed-off-by: Alejandro Colomar <alx@kernel.org>
Link: <neomutt#4236> Link: <neomutt#4223> Link: <neomutt#4226> Reviewed-by: наб <nabijaczleweli@nabijaczleweli.xyz> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
Show a block of information about the encryption of a message, which includes the recipients that can decrypt the message. This info isn't necessarily complete: the sender could hide some recipients, so that they are able to decrypt the message, but aren't listed. See gpg(1) options --recipient and --hidden-recipient. I'm not sure, but I suspect a malicious sender could also add fake recipients, which are listed, but cannot really decrypt the message. Therefore, this should be taken only as an informative block, and with a pinch of salt. It would be good to protect the To and Cc header fields, to provide a guarantee to the recipient that the listed recipients match the original recipients as intended by the sender. See the bug #4223 linked below. Closes: <#4163> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Public%20Key%20Algorithms> Link: <https://www.gnupg.org/documentation/manuals/gpgme.pdf#Decrypt> Link: <https://linux.codidact.com/posts/291205> Link: <#4223> Co-developed-by: Richard Russon <rich@flatcap.org> Cc: Werner Koch <wk@gnupg.org> Cc: наб <nabijaczleweli@nabijaczleweli.xyz> Signed-off-by: Alejandro Colomar <alx@kernel.org>
... except Bcc, for obvious reasons. There are several attacks that are possible if the To, Cc, and similar header fields are not protected. One of them is: - The metadata of a signed+encrypted message can be modified (without decrypting it), to add a malicious recipient. Subsequent replies to the thread will likely also encrypt to the malicious recipient, disclosing secret data. Read the links below for a more detailed explanation of the problem. Link: <#4223> Link: <#4226> Cc: Richard Russon <rich@flatcap.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
Protected header fields are part of the crypto message, which means the sender considers them part of the important data, and should not be carelessly weeded. If the user want to do it, allow them via this variable, but default to not weeding them. Link: <neomutt#4223> Link: <neomutt#4226> Link: <neomutt#4227> Link: <neomutt#4236> Link: <neomutt#4237> Cc: Richard Russon <rich@flatcap.org> Reviewed-by: наб <nabijaczleweli@nabijaczleweli.xyz> Cc: Pietro Cerutti <gahr@gahr.ch> Signed-off-by: Alejandro Colomar <alx@kernel.org>
Protected header fields are part of the crypto message, which means the sender considers them part of the important data, and should not be carelessly weeded. If the user want to do it, allow them via this variable, but default to not weeding them. Link: <#4223> Link: <#4226> Link: <#4227> Link: <#4236> Link: <#4237> Cc: Richard Russon <rich@flatcap.org> Reviewed-by: наб <nabijaczleweli@nabijaczleweli.xyz> Cc: Pietro Cerutti <gahr@gahr.ch> Signed-off-by: Alejandro Colomar <alx@kernel.org>
I believe this can be^W^Wis a security vulnerability, but it's so obvious that I don't think it should be embargoed.
Alice sends a secret message to Bob.
Mallory wants to read the message, and Bob's reply to it.
Mallory intercepts the message, and adds himself to the
Cc:
header field.(I'm not sure if the following is possible, but let's assume it is:) Mallory also modifies the metadata of the encrypted part, to add himself as a listed recipient, even if he can't really decrypt the message. (@dd9jn, is this possible?)
Bob receives the message, and sees that Alice CCed Mallory, and that the encrypted message seems to be encrypted to Mallory too (currently, neomutt(1) doesn't show this, but Bob reads that info by running the gpg(1) command on the message; in the future, he sees that in the encryption information block).
When Bob replies to Alice, quoting a large part of the original message, he keeps Mallory in Cc (replies to all), disclosing the conversation to Mallory.
This could be prevented by protecting the To and Cc header fields, by including them in the signed part. It doesn't make sense to replace them by dummy
...
as done with the Subject, since they need to receive the message, but it makes sense to repeat them in the signed part, and possibly warn if they don't match the outer ones (hmm, maybe we shouldn't warn if they mismatch; just showing the protected To and Cc in the pager should be enough; it's simpler).The text was updated successfully, but these errors were encountered: