Future OpenPGP Support in Thunderbird

Phillip Susi phill at thesusis.net
Tue Oct 15 20:42:21 CEST 2019

Werner Koch writes:

> authenticated encryption is different from signed and encrypted mails.
> There are relative easy attacks on the encryption layer if standard
> encryption modes like CBC (as in S/MIME) are used.  Whether this really
> affects users is a different question but they can be used to leverage
> implementation flaws in MUAs to full plaintext leaks.  This is known for
> 20 years and made it last year again to the media under the term EFAIL.

I'm confused.  I thought the whole efail thing was about crafting a
plain text message that says "Good signature verified" and fools the
user even though it was never run through pgp or had its signature
verified with s/mime.

> Granted, encrypted+signed mails can to a large extend also mitigate the
> threat.  But there are still reasons why signatures can't be used or
> need to be verified only at a latter time in the workflow.
> OpenPGP had a mitigation against this since 2000 and was widely deployed
> by 2003.  However S/MIME never implemented this despite of 10 years old
> RFCs describing methods for such a mitigation, called authenticated
> encryption (AE or AEAD).

AFAICS, that is for encryption+sign.  If you just want to sign, it
sounds like you are saying that is broken.  I don't see how.  You can't
modify the message and keep the hash unchanged, and you can't encrypt a
new hash because you don't have the sender's private key.

More information about the Gnupg-users mailing list