Open Bug 1731608 Opened 4 years ago Updated 7 months ago

can't view content of PGP-encrypted messages that are insecure due to lack the MDC

Categories

(MailNews Core :: Security: OpenPGP, defect, P3)

Product:
MailNews Core
Component:
Security: OpenPGP
Version:
Thunderbird 91
Type:
defect

Tracking

(Not tracked)

People

(Reporter: info, Unassigned)

References

Details

Attachments

(3 files)

test.good.eml
2.45 KB, message/rfc822
Details
test.bad.eml
2.42 KB, message/rfc822
Details
test.png
15.73 KB, image/png
Details

+++ This bug was initially created as a clone of Bug #1729221 +++

+++ This bug was initially created as a clone of Bug #1663169 +++

Tested with TB 91.1.1 64-bit on Windows 10 Enterprise 64-bit.

Prologue

In the childhood of PGP, software like GnuPG as well as MUAs did not add the MDC when encrypting PGP messages. For example, GnuPG implemented the MDC around 2003 (but please correct me if I am wrong). I don't know when TB / Enigmail began to add the MDC when encrypting messages.

Even now, it is theoretically possible to receive PGP-encrypted messages which lack the MDC (although this didn't happen to me personally for a very long time).

Anyway, sometimes we need to open such messages. Although most of them are old, some of them are still relevant.

Problem

Thunderbird and its PGP implementation constantly improve security, which is a good thing in general. For that reason, it refuses to open encrypted messages which lack the MDC (among others, the MDC is suitable to prevent Efail attacks).

But this policy is a bit too strict, because it simply prevents us from opening old messages which we have received in PGP-encrypted form.

I believe that we should be able to override that behavior, perhaps using a config variable (in this case, the feature would be available for advanced users), or using a dialog box which asks what to do if we try to open a message without MDC, or something else - whatever you consider appropriate.

Even if we could permanently decrypt such messages (which isn't the case currently), this would not be a solution to the problem because a lot of people intentionally keep their messages in encrypted form, for example because they are on IMAP severs which they don't have under their own control.

Steps to reproduce

  1. Import Bob's secret key into your Thunderbird installation (https://searchfox.org/comm-central/source/mail/test/browser/openpgp/data/keys/bob@openpgp.example-0xfbfcc82a015e7330-secret.asc).

  2. Save the file test.good.eml, which is attached to this bug report, to your device and open it with Thunderbird (File -> Open -> Saved message...).

  3. Note that a new window opens, showing the message text ("Test"), and showing a good encryption / signature status.

So far, so good.

  1. Save the file test.bad.eml, which is attached to this bug report, to your device and open it with Thunderbird (File -> Open -> Saved message...).

  2. Note that Thunderbird refuses to show the message text, shows a bad OpenPGP status, and shows a red error message below the headers which states that the message could have been modified. This situation is also shown in file test.png, which is attached to this bug report.

Actual results

See above, list item 5.

Expected results

Thunderbird should tell me about a possible security breach, as it already does. But in addition, it should offer me to open the message nevertheless, or should tell me what setting I have to change to make this possible. As explained above, a mechanism to override this specific security policy is necessary, because otherwise we can't open old PGP-encrypted messages.

Attached file test.good.eml
Attached file test.bad.eml
Attached image test.png

I guess decrypting would be ok with the scary banner showing. This is one other place where we conflate the concept of what "security" is in relation to encryption.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: TB can't open old PGP-encrypted messages (because such messages lack the MDC) → can't view content of PGP-encrypted messages that are insecure due to lack the MDC

Thanks for caring.

That was my idea also. It would we very nice if you could implement it that way.

Just not being able to open such old messages could be a real problem for users who don't know how to save the message's source code, to dissect the various MIME parts, and to decrypt them using GnuPG, for example.

In general, future TB development IMHO should make sure that TB never becomes incompatible with old messages again, however complicated that may be and regardless of how important the reason for an incompatibility may be. Safe default settings are desirable, keeping users from stupid things is desirable, and making it quite hard to override default behavior is also desirable.

However, such overrides are a must; we have to keep in mind that users cannot permanently decrypt messages at the moment. Therefore, 10 years in the future, TB must still be able to open (= decrypt) today's encrypted messages, even when next week there is another attack against PGP which requires the implementation or even the protocol to be changed. There must be options to temporarily restore the previous behavior (ensure compatibility) at least per-message (i.e. if we try to open a message). Such options must be implemented at the same time (not afterwards) as the respective incompatibility is introduced.

Best regards, and thank you very much,
Binarus

Blocks: tb91found

This still had low priority. When considering to eventually implement that (if it's still necessary), we should ensure that we never allow viewing of remote content in messages that lack an MDC (see also what I wrote in bug 1994709).

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: