GNU bug report logs - #18718
Encrypted messages expose Bcc identities

Previous Next

Packages: emacs, gnus;

Reported by: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>

Date: Tue, 14 Oct 2014 16:02:01 UTC

Severity: important

Tags: fixed, security

Found in version 5.130012

Fixed in version 25.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>
To: 18718 <at> debbugs.gnu.org
Subject: bug#18718: Encrypted messages expose Bcc identities
Date: Tue, 14 Oct 2014 18:01:02 +0200

Hi there,

the Bcc handling of Message is broken for encrypted e-mails, as
Bcc’ed identities are exposed.  I only tested GnuPG via epa, but I
believe all methods to be affected.

Steps to reproduce.

1. Get rid of encrypt-to, default-recipient, and the like in
   gpg.conf.

2. Set epg-debug to t.

3. Send an encrypted e-mail to yourself (just one To address, no Bcc
   yet).  Read it.
   Note that buffer *epg-debug* mentions that the message was
   encrypted to just one key (including key ID and e-mail address).

4. Send an encrypted e-mail to yourself, with one To address and one
   Bcc address.  Read the mail received under the To address, where
   you should not be able to identify the Bcc recipient.
   Note that buffer *epg-debug* mentions that the message was
   encrypted to two keys (including both key IDs and e-mail
   addresses).  The Bcc recipient is clearly visible.

The identities of *blind* recipients must not be exposed in this
way.  The Right Thing is explained there:
http://lists.gnupg.org/pipermail/gnupg-users/2014-April/049394.html

An academic paper explaining the problem is available there:
http://crypto.stanford.edu/portia/papers/bb-bcc.pdf

On 2014-09-21 I posted some suggestions to the ding mailing list
concerning my package DefaultEncrypt, which contains a workaround.
As I don’t know how to link to that message, I’m copying relevant
parts here.  A discussion version of DefaultEncrypt is available
there:
http://informationelle-selbstbestimmung-im-internet.de/emacs/jl-encrypt-4.1-discussion.el
http://informationelle-selbstbestimmung-im-internet.de/emacs/jl-encrypt-4.1-discussion.el.asc
(No new functionality is added.  This is not a regular release.)

In DefaultEncrypt I added a test to warn against such cases.  In the
version linked above, mml-secure-bcc-is-safe implements that test.
I suggest to copy that function (and its prerequisites) into
mml-sec.el.  Then, mml-secure-bcc-is-safe can be added as
message-send-hook, which I suggest as default until proper Bcc
handling is implemented.

Best wishes
Jens

Ma Gnus v0.12
GNU Emacs 24.3.94.1 (x86_64-unknown-linux-gnu, GTK+ Version 2.22.0)
 of 2014-10-02 on PC
This bug report was last modified 9 years and 202 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.