After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 796424 - Signature Spoofing in PGP encrypted email
Signature Spoofing in PGP encrypted email
Status: RESOLVED OBSOLETE
Product: evolution
Classification: Applications
Component: Mailer
3.26.x (obsolete)
Other Linux
: Normal minor
: ---
Assigned To: evolution-mail-maintainers
Evolution QA team
Depends on:
Blocks:
 
 
Reported: 2018-05-27 15:04 UTC by Jens Mueller
Modified: 2018-09-25 16:02 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Proof-of-concept email to impersonate Phil Zimmermann (3.82 KB, message/rfc822)
2018-05-27 15:04 UTC, Jens Mueller 		Details
Screenshot of proof-of-concept email (31.56 KB, image/png)
2018-05-27 15:05 UTC, Jens Mueller 		Details

Description Jens Mueller 2018-05-27 15:04:23 UTC 
Created attachment 372430 [details]
Proof-of-concept email to impersonate Phil Zimmermann

In the scope of academic research within the efail project, in cooperation with Ruhr-University Bochum and FH Münster, Germany we discovered a (minor) signature validation issue in Evolution. An attacker who is in possession of valid PGP-signed data add can simply re-send it as attachment to the intended receiver. When the message is read and verified by the receiver, a valid signature is shown even though the visible mail content is controlled by the attacker.

/Attacker model/: Attacker is in possession of a valid OpenPGP signature from the entity to be impersonated, which she may have obtained from email correspondence, public mailing lists, signed software packages, signed GitHub commits, etc; this should be a realistic scenario, so we don't even need an NSA-like attacker

/Attacker's goal/: Given her own text, the attacker wants to spoof a correct signature to be displayed by Evolution

/Proof-of-concept/: Find attached a mail which impersonates Phil Zimmerman

/Countermeasures/: Do not show `signature valid' if only part of the message contains a valid signature or make visually clear which part is signed and which is not

Greetings,
Jens

--
M.Sc. Jens Mueller
Research Assistant
Chair for Network and Data Security, Ruhr-University
Universitaetsstr. 150
Building ID 2/415
D-44780 Bochum
Phone: +49 (0) 234 / 32-29177
Comment 1 Jens Mueller 2018-05-27 15:05:21 UTC 
Created attachment 372431 [details]
Screenshot of proof-of-concept email
Comment 2 Milan Crha 2018-05-28 12:33:17 UTC 
Thanks for a bug report. Evolution does highlight which part is signed/encrypted and which not and in case of the signature such parts are also highlighted by changing the border color (and the right border width) to match the color of the signature banner. Your screen shot doesn't show the text part being signed.

On the other hand, I agree that this can be tricky to spot by the users. The signature.asc attachment looks suspicious, but again, users might not care/notice.

I do not know how to handle this the best way. Would people notice any difference when the signed parts are tight together in a more aggressive way? I guess not. That would not be noticeable with your test message either, because the relevant part is (almost) hidden.

What about a "compromise", when there's at least one subpart of the multipart signed, then show all the unsigned parts as signed with an invalid signature? That would show your test part with a red border, instead of that light grey border.
Comment 3 Milan Crha 2018-07-20 09:22:57 UTC 
Changes for [1] improved the situation by changing value of the Security header, where, instead of "GPG signed" is says "partially GPG signed" now. I'm not sure if it qualifies to close this bug though.

[1] https://gitlab.gnome.org/GNOME/evolution-data-server/issues/3
Comment 4 Jens Mueller 2018-09-25 14:00:47 UTC 
Here is another (minor) issue concerning PGP signature validation in Evolution based on how Evolution presents the results of signature verification to the user:

*** Prerequirements ***

It is assumed that the attacker, Eve, can send an email to Bob which -- on the RFC822 layer -- looks like originating from Alice (using the *From:* header). Such email address spoofing should actually be prevented by digital signatures. The attacker's goal is to have a spoofed PGP signature being displayed by the mail client, so that Bob thinks there is cryptographic proof for Alice being the sender. The attack is successful if the fake signature is indistinguishable from a real signed message by Alice on the first level of the UI -- i.e. by just viewing the email without further investigating the signature details or performing a forensic analysis.

*** Attack Description ***

Evolution displays the status of the signature within the mail content itself. However, this part of the UI is in control of the attacker. With modern HTML, CSS or inline images a graphic showing `valid signature', appearing like the real results of signature verification, can easily be forged. Note that this attack works for signed-only as well as for signed and encrypted messages because the HTML email content do display the fake signature can simply be encrypted using Bob's public key.

*** Countermeasures ***

The results of signature verification are not to be shown in attacker-controlled parts of the UI such as in the message content itself which may contain arbitrary graphics.
Comment 5 Milan Crha 2018-09-25 15:30:28 UTC 
That's https://gitlab.gnome.org/GNOME/evolution/issues/120, right? I'd prefer to close this in favour of the new issue, to avoid effort duplication, if it is.
Comment 6 Jens Mueller 2018-09-25 15:54:23 UTC 
Yes, absolutely. I did not see Hanno reported this one already in the Gitlab bugtracker.
Comment 7 Milan Crha 2018-09-25 16:02:49 UTC 
Okay, thanks for the confirmation. I'm closing this one.