GNU bug report logs -
#18718
Encrypted messages expose Bcc identities
Previous Next
Reported by: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>
Date: Tue, 14 Oct 2014 16:02:01 UTC
Severity: important
Tags: fixed, security
Found in version 5.130012
Fixed in version 25.1
Done: Lars Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 18718 in the body.
You can then email your comments to 18718 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bugs <at> gnus.org:
bug#18718; Package
gnus.
(Tue, 14 Oct 2014 16:02:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>:
New bug report received and forwarded. Copy sent to
bugs <at> gnus.org.
(Tue, 14 Oct 2014 16:02:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi there,
the Bcc handling of Message is broken for encrypted e-mails, as
Bcc’ed identities are exposed. I only tested GnuPG via epa, but I
believe all methods to be affected.
Steps to reproduce.
1. Get rid of encrypt-to, default-recipient, and the like in
gpg.conf.
2. Set epg-debug to t.
3. Send an encrypted e-mail to yourself (just one To address, no Bcc
yet). Read it.
Note that buffer *epg-debug* mentions that the message was
encrypted to just one key (including key ID and e-mail address).
4. Send an encrypted e-mail to yourself, with one To address and one
Bcc address. Read the mail received under the To address, where
you should not be able to identify the Bcc recipient.
Note that buffer *epg-debug* mentions that the message was
encrypted to two keys (including both key IDs and e-mail
addresses). The Bcc recipient is clearly visible.
The identities of *blind* recipients must not be exposed in this
way. The Right Thing is explained there:
http://lists.gnupg.org/pipermail/gnupg-users/2014-April/049394.html
An academic paper explaining the problem is available there:
http://crypto.stanford.edu/portia/papers/bb-bcc.pdf
On 2014-09-21 I posted some suggestions to the ding mailing list
concerning my package DefaultEncrypt, which contains a workaround.
As I don’t know how to link to that message, I’m copying relevant
parts here. A discussion version of DefaultEncrypt is available
there:
http://informationelle-selbstbestimmung-im-internet.de/emacs/jl-encrypt-4.1-discussion.el
http://informationelle-selbstbestimmung-im-internet.de/emacs/jl-encrypt-4.1-discussion.el.asc
(No new functionality is added. This is not a regular release.)
In DefaultEncrypt I added a test to warn against such cases. In the
version linked above, mml-secure-bcc-is-safe implements that test.
I suggest to copy that function (and its prerequisites) into
mml-sec.el. Then, mml-secure-bcc-is-safe can be added as
message-send-hook, which I suggest as default until proper Bcc
handling is implemented.
Best wishes
Jens
Ma Gnus v0.12
GNU Emacs 24.3.94.1 (x86_64-unknown-linux-gnu, GTK+ Version 2.22.0)
of 2014-10-02 on PC
Added indication that bug 18718 blocks19759
Request was from
Glenn Morris <rgm <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Tue, 03 Feb 2015 21:24:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#18718; Package
emacs,gnus.
(Sat, 26 Dec 2015 21:35:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 18718 <at> debbugs.gnu.org (full text, mbox):
Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org> writes:
> 4. Send an encrypted e-mail to yourself, with one To address and one
> Bcc address. Read the mail received under the To address, where
> you should not be able to identify the Bcc recipient.
> Note that buffer *epg-debug* mentions that the message was
> encrypted to two keys (including both key IDs and e-mail
> addresses). The Bcc recipient is clearly visible.
[...]
> On 2014-09-21 I posted some suggestions to the ding mailing list
> concerning my package DefaultEncrypt, which contains a workaround.
Would it be possible for you to create a patch for this against the
version of Message in 25.1?
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#18718; Package
emacs,gnus.
(Sun, 27 Dec 2015 15:52:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 18718 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2015-12-26, at 22:34, Lars Ingebrigtsen wrote:
> Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org> writes:
>
>> 4. Send an encrypted e-mail to yourself, with one To address and one
>> Bcc address. Read the mail received under the To address, where
>> you should not be able to identify the Bcc recipient.
>> Note that buffer *epg-debug* mentions that the message was
>> encrypted to two keys (including both key IDs and e-mail
>> addresses). The Bcc recipient is clearly visible.
>
> [...]
>
>> On 2014-09-21 I posted some suggestions to the ding mailing list
>> concerning my package DefaultEncrypt, which contains a workaround.
>
> Would it be possible for you to create a patch for this against the
> version of Message in 25.1?
A patch is attached. The new function mml-secure-bcc-is-safe does
nothing on its own but can be added to message-send-hook or called
from message-send and friends.
Concerning documentation: I’m currently involved in a refactoring
effort for encryption related functionality, which takes place in
the Gnus git under branch mml-refactoring. There, Message
documentation is already extended with a section “Bcc Warning” which
could be extended.
(Also, gnus-subsetp, which is part of this patch, is already present
in the branch mml-refactoring.)
Best wishes
Jens
[0001-Identify-unsafe-combinations-of-Bcc-and-encryption.patch (text/x-diff, inline)]
From f9fb01a6b013963e0d8021b5da587cc548c1ea9a Mon Sep 17 00:00:00 2001
From: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>
Date: Sun, 27 Dec 2015 16:29:02 +0100
Subject: [PATCH] Identify unsafe combinations of Bcc and encryption
---
ChangeLog.2 | 8 ++++++++
lisp/gnus/gnus-util.el | 10 ++++++++++
lisp/gnus/mml-sec.el | 46 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 64 insertions(+)
diff --git a/ChangeLog.2 b/ChangeLog.2
index 6d72663..971a3b5 100644
--- a/ChangeLog.2
+++ b/ChangeLog.2
@@ -1,3 +1,11 @@
+2015-12-27 Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>
+
+ Identify unsafe combinations of Bcc and encryption
+
+ * lisp/gnus/gnus-util.el (gnus-subsetp): New function
+ * lisp/gnus/mml-sec.el (mml-secure-safe-bcc-list): New variable
+ * lisp/gnus/mml-sec.el (mml-secure-bcc-is-safe): New function
+
2015-12-27 Lars Ingebrigtsen <larsi <at> gnus.org>
* shr.el (shr-descend): Allow using lambdas in external functions.
diff --git a/lisp/gnus/gnus-util.el b/lisp/gnus/gnus-util.el
index 40e2dcf..933387d 100644
--- a/lisp/gnus/gnus-util.el
+++ b/lisp/gnus/gnus-util.el
@@ -1989,6 +1989,16 @@ to case differences."
(defun gnus-timer--function (timer)
(elt timer 5)))
+(defun gnus-subsetp (list1 list2)
+ "Return t if LIST1 is a subset of LIST2.
+Similar to `subsetp' but use member for element test so that this works for
+lists of strings."
+ (when (and (listp list1) (listp list2))
+ (if list1
+ (and (member (car list1) list2)
+ (gnus-subsetp (cdr list1) list2))
+ t)))
+
(provide 'gnus-util)
;;; gnus-util.el ends here
diff --git a/lisp/gnus/mml-sec.el b/lisp/gnus/mml-sec.el
index 45da937..dbae280 100644
--- a/lisp/gnus/mml-sec.el
+++ b/lisp/gnus/mml-sec.el
@@ -122,6 +122,21 @@ Whether the passphrase is cached at all is controlled by
:group 'message
:type 'integer)
+(defcustom mml-secure-safe-bcc-list nil
+ "List of e-mail addresses that are safe to use in Bcc headers.
+EasyPG encrypts e-mails to Bcc addresses, and the encrypted e-mail
+by default identifies the used encryption keys, giving away the
+Bcc'ed identities. Clearly, this contradicts the original goal of
+*blind* copies.
+For an academic paper explaining the problem, see URL
+`http://crypto.stanford.edu/portia/papers/bb-bcc.pdf'.
+Use this variable to specify e-mail addresses whose owners do not
+mind if they are identifiable as recipients. This may be useful if
+you use Bcc headers to encrypt e-mails to yourself."
+ :version "25.1"
+ :group 'message
+ :type '(repeat string))
+
;;; Configuration/helper functions
(defun mml-signencrypt-style (method &optional style)
@@ -272,6 +287,37 @@ Use METHOD if given. Else use `mml-secure-method' or
(interactive)
(mml-secure-part "smime"))
+(defun mml-secure-is-encrypted-p ()
+ "Check whether secure encrypt tag is present."
+ (save-excursion
+ (goto-char (point-min))
+ (re-search-forward
+ (concat "^" (regexp-quote mail-header-separator) "\n"
+ "<#secure[^>]+encrypt")
+ nil t)))
+
+(defun mml-secure-bcc-is-safe ()
+ "Check whether usage of Bcc is safe (or absent).
+Bcc usage is safe in two cases: first, if the current message does
+not contain an MML secure encrypt tag;
+second, if the Bcc addresses are a subset of `mml-secure-safe-bcc-list'.
+In all other cases, ask the user whether Bcc usage is safe.
+Raise error if user answers no.
+Note that this function does not produce a meaningful return value:
+either an error is raised or not."
+ (when (mml-secure-is-encrypted-p)
+ (let ((bcc (mail-strip-quoted-names (message-fetch-field "bcc"))))
+ (when bcc
+ ;; Split recipients at "," boundary, omit empty strings (t),
+ ;; and strip whitespace.
+ (let ((bcc-list (split-string hdr "," t "\\s-+")))
+ (unless (gnus-subsetp bcc-list mml-secure-safe-bcc-list)
+ (unless (yes-or-no-p "Message for encryption contains Bcc header.\
+ This may give away all Bcc'ed identities to all recipients.\
+ Are you sure that this is safe?\
+ (Customize `mml-secure-safe-bcc-list' to avoid this warning.) ")
+ (error "Aborted"))))))))
+
;; defuns that add the proper <#secure ...> tag to the top of the message body
(defun mml-secure-message (method &optional modesym)
(let ((mode (prin1-to-string modesym))
--
1.9.1
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#18718; Package
emacs,gnus.
(Sun, 27 Dec 2015 18:00:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 18718 <at> debbugs.gnu.org (full text, mbox):
Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org> writes:
> A patch is attached. The new function mml-secure-bcc-is-safe does
> nothing on its own but can be added to message-send-hook or called
> from message-send and friends.
Looks good. Do you have Emacs copyright assignment papers on file?
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#18718; Package
emacs,gnus.
(Sun, 27 Dec 2015 18:20:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 18718 <at> debbugs.gnu.org (full text, mbox):
> From: Lars Ingebrigtsen <larsi <at> gnus.org>
> Date: Sun, 27 Dec 2015 18:59:08 +0100
> Cc: 18718 <at> debbugs.gnu.org
>
> Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org> writes:
>
> > A patch is attached. The new function mml-secure-bcc-is-safe does
> > nothing on its own but can be added to message-send-hook or called
> > from message-send and friends.
>
> Looks good. Do you have Emacs copyright assignment papers on file?
He does.
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#18718; Package
emacs,gnus.
(Sun, 27 Dec 2015 18:28:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 18718 <at> debbugs.gnu.org (full text, mbox):
Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org> writes:
> A patch is attached. The new function mml-secure-bcc-is-safe does
> nothing on its own but can be added to message-send-hook or called
> from message-send and friends.
I've applied the patch, but there were bugs. It referred to an unbound
variable called "hdr", which I've changed to bcc. Please look over the
resulting code.
Also, I get these warnings:
In end of data:
gnus/mml-sec.el:429:1:Warning: the following functions are not known to be
defined: mail-strip-quoted-names, message-fetch-field, gnus-subsetp
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#18718; Package
emacs,gnus.
(Sun, 27 Dec 2015 20:10:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 18718 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2015-12-27, at 19:26, Lars Ingebrigtsen wrote:
> Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org> writes:
>
>> A patch is attached. The new function mml-secure-bcc-is-safe does
>> nothing on its own but can be added to message-send-hook or called
>> from message-send and friends.
>
> I've applied the patch, but there were bugs. It referred to an unbound
> variable called "hdr", which I've changed to bcc. Please look over the
> resulting code.
You are right. I tested against the wrong load-path. Sorry.
> Also, I get these warnings:
>
> In end of data:
> gnus/mml-sec.el:429:1:Warning: the following functions are not known to be
> defined: mail-strip-quoted-names, message-fetch-field, gnus-subsetp
Indeed. Actually, when should I use require, when autoload? In
particular, for gnus-util both variants are used in different files,
and I fail to see a pattern. As mml-sec just uses autoloads, the
attached patch adds more of them to avoid the warnings.
Best wishes
Jens
[0002-More-autoloads-to-avoid-compile-warnings.patch (text/x-diff, inline)]
From 1f54b417fd487880f794cfff2eecceb87a07d4d8 Mon Sep 17 00:00:00 2001
From: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>
Date: Sun, 27 Dec 2015 20:40:15 +0100
Subject: [PATCH 2/2] More autoloads to avoid compile warnings
---
lisp/gnus/mml-sec.el | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lisp/gnus/mml-sec.el b/lisp/gnus/mml-sec.el
index dbae280..d7702d7 100644
--- a/lisp/gnus/mml-sec.el
+++ b/lisp/gnus/mml-sec.el
@@ -25,10 +25,13 @@
(eval-when-compile (require 'cl))
+(autoload 'gnus-subsetp "gnus-util")
+(autoload 'mail-strip-quoted-names "mail-utils")
(autoload 'mml2015-sign "mml2015")
(autoload 'mml2015-encrypt "mml2015")
(autoload 'mml1991-sign "mml1991")
(autoload 'mml1991-encrypt "mml1991")
+(autoload 'message-fetch-field "message")
(autoload 'message-goto-body "message")
(autoload 'mml-insert-tag "mml")
(autoload 'mml-smime-sign "mml-smime")
--
1.9.1
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#18718; Package
emacs,gnus.
(Sun, 27 Dec 2015 20:14:01 GMT)
Full text and
rfc822 format available.
Message #28 received at 18718 <at> debbugs.gnu.org (full text, mbox):
Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org> writes:
> Indeed. Actually, when should I use require, when autoload? In
> particular, for gnus-util both variants are used in different files,
> and I fail to see a pattern. As mml-sec just uses autoloads, the
> attached patch adds more of them to avoid the warnings.
Thanks; applied.
There's no hard and fast rule, especially with these libraries that tend
to infloop if you add too many requires. :-) (That is, a requires b
that requires c that requires a...)
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Added tag(s) fixed.
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Sun, 27 Dec 2015 20:15:02 GMT)
Full text and
rfc822 format available.
bug marked as fixed in version 25.1, send any further explanations to
18718 <at> debbugs.gnu.org and Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Sun, 27 Dec 2015 20:15:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#18718; Package
emacs,gnus.
(Sat, 02 Jan 2016 14:50:02 GMT)
Full text and
rfc822 format available.
Message #35 received at 18718 <at> debbugs.gnu.org (full text, mbox):
I don’t think that mml-secure-bcc-is-safe gets called so far, which
means that the bug still exists.
As I wrote concerning the patch, the function could be added to
message-send-hook or called from message-send. I don’t know what
would be preferable.
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#18718; Package
emacs,gnus.
(Sun, 03 Jan 2016 09:09:02 GMT)
Full text and
rfc822 format available.
Message #38 received at 18718 <at> debbugs.gnu.org (full text, mbox):
Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org> writes:
> I don’t think that mml-secure-bcc-is-safe gets called so far, which
> means that the bug still exists.
>
> As I wrote concerning the patch, the function could be added to
> message-send-hook or called from message-send. I don’t know what
> would be preferable.
Calling from message-send sounds better, I think. Could you send a
patch?
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#18718; Package
emacs,gnus.
(Sun, 03 Jan 2016 14:58:01 GMT)
Full text and
rfc822 format available.
Message #41 received at 18718 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2016-01-03, at 10:08, Lars Magne Ingebrigtsen wrote:
> Calling from message-send sounds better, I think. Could you send a
> patch?
This should do it.
[0001-Call-mml-secure-bcc-is-safe-for-bug-18718.patch (text/x-diff, inline)]
From c1cae98181cb05a001a4b0b3216f4aa072aaed6c Mon Sep 17 00:00:00 2001
From: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>
Date: Sun, 3 Jan 2016 15:48:43 +0100
Subject: [PATCH] Call mml-secure-bcc-is-safe for bug#18718
* lisp/gnus/message.el (message-send): Call mml-secure-bcc-is-safe
---
lisp/gnus/message.el | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lisp/gnus/message.el b/lisp/gnus/message.el
index a6c8282..1e2e3bd 100644
--- a/lisp/gnus/message.el
+++ b/lisp/gnus/message.el
@@ -4227,6 +4227,8 @@ Instead, just auto-save the buffer and then bury it."
(if message-return-action
(apply (car message-return-action) (cdr message-return-action))))
+(autoload 'mml-secure-bcc-is-safe "mml-sec")
+
(defun message-send (&optional arg)
"Send the message in the current buffer.
If `message-interactive' is non-nil, wait for success indication or
@@ -4241,6 +4243,7 @@ It should typically alter the sending method in some way or other."
(let ((inhibit-read-only t))
(put-text-property (point-min) (point-max) 'read-only nil))
(message-fix-before-sending)
+ (mml-secure-bcc-is-safe)
(run-hooks 'message-send-hook)
(when message-confirm-send
(or (y-or-n-p "Send message? ")
--
1.9.1
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#18718; Package
emacs,gnus.
(Mon, 04 Jan 2016 00:58:02 GMT)
Full text and
rfc822 format available.
Message #44 received at 18718 <at> debbugs.gnu.org (full text, mbox):
Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org> writes:
> On 2016-01-03, at 10:08, Lars Magne Ingebrigtsen wrote:
>
>> Calling from message-send sounds better, I think. Could you send a
>> patch?
>
> This should do it.
Thanks; applied to Emacs 25.1.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 01 Feb 2016 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 9 years and 202 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.