Pros and cons of PGP/MIME for outgoing e-mail?

[Bjarni Runar Einarsson]

Hello!

I just couldn't resist the chance to play devil's advocate some more...

 ;-)

(Werner: Sorry about the duplicate, I fat-fingered the reply-all)

Werner Koch <wk at gnupg.org> wrote:
> > It would be far, far more useful to have a signature for each part so
> > instead of a binary pass/fail, you get a more granular result saying
> > "Message body was fine", "Attachment 2-5 are fine", and "Something
> 
> Too complicated and allows for replacement-attacks: Split a signed
> message and replace one attachment (e.g. a document with the price list)
> by an earlier version.  Or remove one attschment.  PGP uses this to get
> around Outlook problems ("partitioned mail" or so) but they knew that it
> has its limitations.

My proposal doesn't have this problem. I want the manifest to summarize
the entire content of the message, including sha256 (or whatever is
considered good) fingerprints of each part. If you replace any parts,
that is detected. You can delete the Manifest too, but my proposal
included mitigation strategies for that as well.

As mentioned in my last mail, I need to write a clearer proposal and
flesh out the Manifest format a bit more.

...

Elsewhere in this thread, I think someone briefly touched upon security
risks imposed by Bad People messing with the MIME structure. I'm not
finding it now that I go looking, so maybe I mis-read. But I'd like to
discuss some of the negative security implications of PGP/MIME anyway,
just for fun. :-)

For context, I spent 6 years working in anti-virus/anti-spam for e-mail,
and longer working as a sysadmin in various plaes. My understanding of
the A/V industry and sysadmin mentality, is the sysadmin looove
centralized solutions. They like to put security scanning tool on the
mail server, where they are easy to manage and keep up to date, and
don't need to worry about which MUAs and operating systems are in use
within the org. You can even outsource that stuff, get your mail scanned
as by 3rd party experts.

Now, if your MIME library is just the right kind of shitty, and can be
exploited by sending a nasty boundary, then PGP/MIME encrypting the
exploint guarantees it will be delivered intact and undetected by the
security scanners. Oops! This particular vector is admittedly probably
rare these day. Hopefully most MIME parsers were fuzzed and fixed long
ago, except for the new one that Werner wants to write in 1000 lines of
C. :-P

Hey has anyone fuzzed the plugins lately? Either way, this illustrates
an important point.

This fact is, if everyone encrypts end-to-end as favoured by this
community, then it becomes impossible (or rather, pointless) to deploy
centralized security solutions. If I were a paranoid sysadmin, I'd be
tempted to reject incoming PGP/MIME mail outright, for this reason
alone.

In reality, directly mailing you an encrypted exploit is far easier than
intercepting your legitimate mail and injecting exploits into mail other
people wrote. Security is all about economics, and I'll boldly argue
that PGP/MIME is not thwarting any real intrusions by protecting the
MIME structure. And if we further factor in viruses and phishing and
exploits and spam, then widely deployed PGP/MIME might make the real
world less secure, not more. :-P

If on the other hand, we encrypt just user-generated content and leave
all the technical envelope crap exposed (including enough metadata to
allow enforcement of content policies, e.g. banning .exe attachments),
then we can play nice with the rest of the security eco-system. That
sort of thing does have value...

And I've just talked myself into leaking a bit more metadata, not less.

Fun times! :-)
 - Bjarni

-- 
I make stuff: www.mailpile.is, www.pagekite.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP Digital Signature
URL: </pipermail/attachments/20141126/ce4a9a75/attachment.sig>