[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#25429: 24.5; mml-secure-message-encrypt-pgpmime warns about some Use

From: Daniel Kahn Gillmor
Subject: bug#25429: 24.5; mml-secure-message-encrypt-pgpmime warns about some User IDs with unknown validity but not about others
Date: Thu, 12 Jan 2017 11:02:44 -0500

This is a security bug in Emacs' mml mode when composing encrypted
mail.  The flaw allows an attacker to potentially trigger selection of
the wrong key, and to evade a warning from gpg.

Here's the situation:

I'm composing a mesage in emacs in mml-mode (using notmuch, fwiw, though
i don't think that matters here), and i want to send it encrypted.

I use mml-secure-message-encrypt-pgpmime (via C-c RET c p) to encrypt
the message.

I have two friends, Alice and Bob, who have OpenPGP certificates that
look like this:

pub   rsa4096 2016-06-02 [SC]
uid           [ unknown] Alice <address@hidden>
uid           [  full  ] Alice <address@hidden>
sub   rsa4096 2016-06-02 [E]

pub   rsa4096 2016-08-16 [SC]
uid           [ unknown] Bob <address@hidden>
sub   rsa4096 2016-08-16 [E]

These are the only certs in my keyring other than my own.

Note that i've managed to certify Alice's example.com User ID, but not
her example.org User ID (she probably added that User ID after i checked

When the mail is addressed only to address@hidden, i get this warning
when sending; if i answer "n" then the message doesn't go out:

    Untrusted key 04AEEB8BE699F289 Bob <address@hidden>. Use anyway? (y or n)

When the mail is addressed only to address@hidden, i get no such
warning, the message is just signed, encrypted, and sent.

So far, so good :)

However, when i send mail to address@hidden, i *also* get no warning,
despite the fact that the address@hidden User ID has the same level
of calculated validity as the address@hidden User ID.

This points to a nitpick and a real underlying problem, both related.

Nitpick first:

 * The message "Untrusted key" warning message is misleading, since this
   has nothing to do with GnuPG's concept of "trust", or of the key.
   Instead, it should be looking at the validity of the binding between
   the User ID and the key.  So the message should say something like:

      Unknown validity of key 04AEEB8BE699F289 for 'Bob <address@hidden>'.  Use 

And the real problem:

 * it looks like mml is actually basing its decision about the warning
   on the *maximum* validity of all User IDs on the certificate as a
   whole, rather than on the validity of the User ID that it cares
   about.  This is a security flaw.  Consider the situation above, but
   where Alice decides she wants to be able to read Bob's encrypted
   mail.  If she were to add a new User ID to her OpenPGP certificate
   that was "address@hidden", and i imported that cert into my keyring
   (e.g. while doing regular refreshes from the keyserver) then future
   messages that i encrypt to Bob would *not* have the warning, and
   would be encrypted to the wrong key.

So mml is not testing the right information reported by gpg when it
makes this decision.


In GNU Emacs 24.5.1 (x86_64-pc-linux-gnu, GTK+ Version 3.22.5)
 of 2016-12-18 on x86-ubc-01, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.11900000
System Description:     Debian GNU/Linux testing (stretch)

Configured using:
 `configure --build x86_64-linux-gnu --prefix=/usr
 --sharedstatedir=/var/lib --libexecdir=/usr/lib
 --localstatedir=/var/lib --infodir=/usr/share/info
 --mandir=/usr/share/man --with-pop=yes
 --build x86_64-linux-gnu --prefix=/usr --sharedstatedir=/var/lib
 --libexecdir=/usr/lib --localstatedir=/var/lib
 --infodir=/usr/share/info --mandir=/usr/share/man --with-pop=yes
 --with-x=yes --with-x-toolkit=gtk3 --with-toolkit-scroll-bars
 'CFLAGS=-g -O2
 -Wformat -Werror=format-security -Wall -fno-PIE' 'CPPFLAGS=-Wdate-time
 -D_FORTIFY_SOURCE=2' 'LDFLAGS=-Wl,-z,relro -no-pie''

Important settings:
  value of $LANG: en_US.UTF-8
  locale-coding-system: utf-8-unix

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]