[gmime-devel] avoiding metadata leaks when handling S/MIME-signed mail in GMime and other tools that use GnuPG

Jeffrey Stedfast fejj at gnome.org
Fri Feb 2 19:13:32 CET 2018


Hi Daniel & GnuPG devs,

On 2/2/2018 12:48 PM, Daniel Kahn Gillmor wrote:
> Hi GMime and GnuPG developers--
>
> sorry for the cross-posting!  coordinating this kind of thing
> cross-project is tough.
>
> I recently learned that default handling of signed S/MIME mail with
> GnuPG causes an inherent metadata leak about the user's activity:
>
>      https://dev.gnupg.org/T3348#110132
>
> As a MUA developer, I'd like my MUA to simply handle as much crypto as
> it can on the user's behalf automatically, correctly and silently,
> without needing any special configuration or asking the user to make any
> tough tradeoffs that they might object to.
>
> What kinds of tradeoffs are objectionable?  Performance tradeoffs are
> probably OK, since they're user-visible, and can be mitigated by
> disabling crypto.  But metadata leakage by default seems really
> problematic, because (a) it is invisible to the user, and (b) once done,
> it cannot be undone.
>
> So my question for GMime and GnuPG developers is how a MUA that uses
> GMime should approach this.  Given that GMime relies on GnuPG, and GnuPG
> basically says "if you process S/MIME mail, you'll leak metadata", what
> is the best way to instruct GMime to say "handle as much cryptographic
> mail as you can without leaking metadata"?
>
> GMime 3 has greatly simplified its crypto handling interface, and it has
> moved fully to GPGME on the backend, which i appreciate.  However, i
> think the interface is now so clean that i don't know how to either:
>
>   * tell GMime to disable crl checks

I'd be willing to add an API to disable CRL checks if there's a way I 
can pass that along to gpgme.

>
> or
>
>   * tell GMime not to verify S/MIME signatures at all

Willing to add an API for this as well (although I guess it's not 
necessary if an API to disable CRL checks is added?)

>
> Either of these methods would address the default metadata leakage
> concern, but the first choice provides more functionality to the user.
>
> i note that GPGME offers gpgme_set_offline(), which tells it to avoid
> talking to the network entirely.  Maybe that can be exposed by GMime
> somehow?

Absolutely.

>
> i don't think invoking gpgme_set_offline(true) would break other uses of
> GPGME inside GMime or any other sensible MUA, but if there's a fear that
> it does, i'd like to hear about it.

Well, I suppose that, like S/MIME signature verification, it would also 
disable PGP key-server lookups?

It might be best if there was a way to disable CRL checks on a per 
gpgme_ctx_t basis as opposed to globally, but I can have GMime use the 
global option until such an option exists (note: might be racey if you 
try and verify signatures on multiple threads).

I'll wait for the GnuPG/GPGME devs to comment before making changes to 
GMime.

Jeff




More information about the Gnupg-devel mailing list