danger of decrypted files without integrity protection

Greg Troxel gdt at lexort.com
Thu May 17 15:05:35 CEST 2018

Bernhard Reiter <bernhard at intevation.de> writes:

> Pondering how dangerous manipulated decrypted files are
> I've done the following experiment on a GNU system:
> echo "File loading external references? Yes, if you can see the following image: <img src=https://gnupg.org/share/logo-gnupg-light-purple-bg.png />" >test.html
> firefox test.html 
> chromium test.html 
> both times the image was shown.

In your example, you asked a browser to render html, which has different
norms than rendering incoming (and hence not requested by the user)
email.  Even a relatively paranoid browser with uMatrix will render
images from different origins.

If you are calling decrypted content without integrity protection (and
probably, without Data Origin Authenication) protection dangerous, why
are you not also calling unencrypted unauthenticated content dangerous?

The larger real issue here is treating incoming bits as a program and
interpreting it (to include fetching remote content), rather than simply
displaying it.

Mail use of html should not fetch images (which are also likely to
contain tracking identifiers) or execute javascript.

(This is all separate from the discussion about combining multiple
arriving html documents into one document for rendering.)

More information about the Gnupg-devel mailing list