Thunderbird doesn't decrypt OpenPGP encrypted message wrapped in an S/MIME signature (e.g. sent through Gmail/G Suite)
Categories
(MailNews Core :: Security: OpenPGP, defect, P5)
Tracking
(thunderbird_esr102 wontfix)
| Tracking | Status | |
|---|---|---|
| thunderbird_esr102 | --- | wontfix |
People
(Reporter: zylxpl, Assigned: KaiE)
References
Details
(Keywords: testcase)
Attachments
(5 files)
How it looks in thunderbird
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36
Steps to reproduce:
- Setup S/MIME certificate in Thunderbird
- Send email to exchange public key
- Send S/MIME encrypted email from gmail web interface (g siute)
Actual results:
Received message listed as unencrypted, but it contains sime.p7m atachment. Signature is invalid, can't read email.
Expected results:
Message should be decrypted.
|
||
Updated•5 years ago
|
|
Assignee | |
Comment 1•5 years ago
•
|
||
It seems the G Suite product you mention is a proprietary product which doesn't allow anyone to register accounts freely.
Please attach a sample email you have received, so we could try to look at its message structure.
|
|
Assignee | |
Updated•5 years ago
|
Sorry for delay. I added i sample message encrypted by google server. I also attached a screenshot how it looks in Thunderbird. Please note, that the same message is decrypted correctly by other email clients like outlook or evolution. If needed i cant send such a message to kaie at kuix.de (after we we exchange keys) or even provide test account from my organisation.
|
||
Comment 5•4 years ago
|
||
Kai, what do you think of the testcase?
|
|
Assignee | |
Comment 6•4 years ago
|
||
Sorry for the delay, I had missed the update.
This message has an inner encryption layer, wrapped in an outer signature layer. In other words, this email uses encrypt-then-sign.
In 2018, after the EFail reports, Thunderbird has stopped supporting this encoding order. It only allows decryption of content if the encryption layer is the topmost layer of an email.
One reason is to avoid accidental leakage of subordinate message parts on reply/forward.
Another reason is that an attacker could take any encrypted message, and add an outer signature layer to it.
Say, Alice send an encrypted and signed message to Bob. Eve the attacker is able to capture the message in transit, and prevent it from being delivered to Bob. Eve strips the signature, then Eve adds her own signature, and sends it to Bob. Bob will falsely conclude that the message originates from Eve.
If you really need to decrypt the message, you could save it to a file, and strip the outer signature layer, then open it again with Thunderbird.
It's recommended that software stops using encrypt-then-sign, and switches to the sign-then-encrypt layer. In this scenario, only the intended recipient (who are able to decrypt) will be able to view the signature.
It's unfortunate that we don't yet do a better job of communicating this decision to users. Improving this situation is the subject of bug 1576655.
|
|
Assignee | |
Updated•4 years ago
|
Thx for reply Kai, that explains a lot.
However, as you mentioned, it is very unclear and misleading to users. Wouldn't be better just decrypt message and donn't show signature, or even show some kind of flag, that signature could be replaced and can't be trusted? After all, the user should at least be able to examine message and have final word to what he/she trust.
Anyway, i gonna open a ticket on G Siute with information you provided. Maybe they switch to sign-then-encrypt as well.
|
|
Assignee | |
Comment 8•4 years ago
|
||
(In reply to zylxpl from comment #7)
Wouldn't be better just decrypt message and donn't show signature, or even show some kind of flag, that signature could be replaced and can't be trusted? After all, the user should at least be able to examine message and have final word to what he/she trust.
This isn't about trust, but about leaking. The issue is we are going through the same decoding code path for both "display" and "forward/reply". So, when you hit reply, some MIME part, potentially invisible, could get automatically decrypted, but might not be visible to you during composing a reply. (Or visible, but you don't notice.) This could allow an attacker to trick you into decrypting a message that you received earlier, and which an attacker would like to read. You'd unknowingly decrypt, and unknowingly send it to the attacker. That's why we're careful and no longer decrypt subordinate parts. Your suggestion would require that the Thunderbird decoding code behaves differently, based on the target of the decoding (display or reply/forward). Still, even when decoding for display, there'd still be risk that a user might unknowingly copy/paste complex HTML/CSS code with the hidden decrypted contents inside it.
|
||
Comment 9•2 years ago
|
||
Hi, I have Thunderbird 91 on ubuntu 21.10 and I still have this issue,
was there any progress?
Also, I noticed that both kmail and outlook are able to decrypt the message, and check the signature correctly. But I do not want to use either because they are substandard in many ways to Thunderbird but at the moment I cannot read my colleagues' emails,
indeed, the issue is that the content is signed, then encrypted and attached as an attachment with signature, it is quite a silly way to do it, really, since even openssl does not support decrypting the email as is, I have to grep away the attachment part and then decrypt that. Quite cumbersome
any help would be appreciated: I am trying to create an addon for Thunderbird for that but I am a bit of a noob at that.
Thanks
Maurizio
|
|
||
Comment 10•2 years ago
|
||
Guys, this is still a problem
any update yet?
thanks
Maurizio
|
||
Updated•2 years ago
|
|
|
||
Comment 11•2 years ago
|
||
Any update on this?
|
|
||
Comment 12•1 year ago
|
||
(In reply to mgarzelli from comment #11)
Any update on this?
Clearly not. If you read comment 8 there isn't a definite solution planned within Thunderbird, except perhaps via bug 1746579 which also has no action and is currently not a priority.
If you are seeking help for making an add-on (comment 9) then you may want to ask in https://thunderbird.topicbox.com/groups/addons. https://thunderbird.topicbox.com/groups/e2ee may be another soure of information.
|
|
||
Updated•1 year ago
|
|
|
||
Comment 13•1 year ago
|
||
(In reply to Wayne Mery (:wsmwk) from comment #12)
(In reply to mgarzelli from comment #11)
Any update on this?
Clearly not. If you read comment 8 there isn't a definite solution planned within Thunderbird, except perhaps via bug 1746579 which also has no action and is currently not a priority.
If you are seeking help for making an add-on (comment 9) then you may want to ask in https://thunderbird.topicbox.com/groups/addons. https://thunderbird.topicbox.com/groups/e2ee may be another soure of information.
Thank you for the reply,
That is unfortunate, yet I see the necessity
So if I have understood it correctly, thunderbird will not decrypt a message if there is an outer signature layer. I did notice by the way, a very singular behaviour:
when I compare the same emails between Kmail and Thunderbird, I notice that I am able to decrypt the "encrypt and sign" ones, ONLY if they are signed twice (outside and inside the encryption layer) and both signature comply! I noticed that in Kmail, it shows that there are two signature layers, one outside and one inside and one of them is always 'wrong'
and note how the good signature has a longer key index than the bad one. But I think the main point here is that gsuite is signing the message twice, once before and once after encryption and Thunderbird does not like the external one.
see here, copied from the Kmail body of the email:
Message was signed by fra*****o@****.com on 20/06/2022 11:12 with key 0x81C46C11*****7D3
Status: Good signature.
Encrypted messageShow Details
Message was signed with key 0xC3DF657******CFD11EBD1AA81C46C11*****7D3.
Status: Bad signature.
Ciao Maurizio,
........
|
|
Assignee | |
Comment 15•1 year ago
|
||
|
|
Assignee | |
Comment 16•1 year ago
|
||
Depends on D164754
|
|
Assignee | |
Comment 17•1 year ago
|
||
Patrick, FYI, I'd like to offer a workaround for this scenario.
It's an outer S/MIME signature layer, containing an OpenPGP MIME message (which might also contain an inner signature).
Because of the past decisions to never decrypt inner layers, we don't decrypt.
I don't think I'll be able to quickly offer a general solution as described in bug 1746579.
Instead, I'd like to add special handling for this scenario.
If the outermost layer is a signature, and inside there's just one encrypted message (no siblings), then I'd like to decrypt, and ignore the outermost signature (not show its status).
|
|
Assignee | |
Comment 18•1 year ago
|
||
I have an initial patch that works for my test cases. It's working for S/MIME or OpenPGP outer signature layers.
|
||
Comment 19•1 year ago
|
||
(In reply to Kai Engert (:KaiE:) from comment #17)
I don't think I'll be able to quickly offer a general solution as described in bug 1746579.
Instead, I'd like to add special handling for this scenario.If the outermost layer is a signature, and inside there's just one encrypted message (no siblings), then I'd like to decrypt, and ignore the outermost signature (not show its status).
As long as we ensure that we only handle specific known structures automatically, that's perfectly OK in my eyes.
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 20•1 year ago
|
||
In addition to the fix, I've been working on automated testing for this scenario. I found that the reverse scenario (inner S/MIME encryption, wrapped in an outer signature) also doesn't work - and isn't fixed yet by my work. Given that this scenario hasn't yet been reported by anyone, I'd like to postpone that additional scenario to a later time. I'll file a separate tracking bug. I've already prepared test messages, and will include them (disabled).
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 21•1 year ago
|
||
Depends on D164755
|
|
Assignee | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 22•1 year ago
|
||
Magnus, are you comfortable reviewing https://phabricator.services.mozilla.com/D164755 ?
|
||
Comment 23•1 year ago
|
||
Well, if Patrick can review that would be great.
|
|
Assignee | |
Comment 24•1 year ago
|
||
(In reply to Magnus Melin [:mkmelin] from comment #23)
Well, if Patrick can review that would be great.
Patrick said he cannot review it.
|
|
Assignee | |
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Comment 25•1 year ago
|
||
Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/ab62d55deea7
Rename variables in function hasUnauthenticatedParts to make it easier to understand. r=PatrickBrunschwig
https://hg.mozilla.org/comm-central/rev/ac091f2fc724
Ignore outermost signature layer for triple wrapped sign/encrypt/sign messages, allow viewing decrypted message. r=mkmelin
https://hg.mozilla.org/comm-central/rev/fff500700739
Add tests for encrypted email with additional outer signature layer. r=mkmelin
|
|
Assignee | |
Comment 27•1 year ago
|
||
Thunderbird Beta version 110 and later contain a fix for this issue. Are you able to test and give feedback if the solution works for you?
If you cannot comment in bugzilla for whatever reason, please send email to kaie@kuix.de
Thanks
Description
•