Future OpenPGP Support in Thunderbird
phill at thesusis.net
Tue Oct 15 20:42:21 CEST 2019
Werner Koch writes:
> authenticated encryption is different from signed and encrypted mails.
> There are relative easy attacks on the encryption layer if standard
> encryption modes like CBC (as in S/MIME) are used. Whether this really
> affects users is a different question but they can be used to leverage
> implementation flaws in MUAs to full plaintext leaks. This is known for
> 20 years and made it last year again to the media under the term EFAIL.
I'm confused. I thought the whole efail thing was about crafting a
plain text message that says "Good signature verified" and fools the
user even though it was never run through pgp or had its signature
verified with s/mime.
> Granted, encrypted+signed mails can to a large extend also mitigate the
> threat. But there are still reasons why signatures can't be used or
> need to be verified only at a latter time in the workflow.
> OpenPGP had a mitigation against this since 2000 and was widely deployed
> by 2003. However S/MIME never implemented this despite of 10 years old
> RFCs describing methods for such a mitigation, called authenticated
> encryption (AE or AEAD).
AFAICS, that is for encryption+sign. If you just want to sign, it
sounds like you are saying that is broken. I don't see how. You can't
modify the message and keep the hash unchanged, and you can't encrypt a
new hash because you don't have the sender's private key.
More information about the Gnupg-users