Hi all, attached is a patch to mitigate the effects of the “Re: What's Up Johnny?” attacks on email end-to-end encryption as described in the draft paper [1]. Like the EFail [2] and “Johnny, you are fired!” [3] attacks, carefully crafted messages creatively using legitimate MIME and HTML features can be used to deceive the user regarding the actual message content: the attacker includes intercepted encrypted message parts which were originally sent to a different recipient (and which the attacker cannot decrypt). Iff such message parts are decrypted in background, and the user replies to the attacker, the decrypted plaintext /may/ be included in the reply. Balsa will include “silently” decrypted message parts in a reply in the following cases: - multipart/mixed, first part is a text/html, and any other part contains an encrypted RFC 4880 block; - multipart/report, first part is a text/*, and a message/rfc822 with encrypted contents is attached; - multipart/mixed, first part is a text/html with CID references to an other part, containing an encrypted RFC 4880 block. Note that Balsa is *not* vulnerable by other HTML attacks described in the paper, as we do not automatically load or post data from/to external sources. With this patch, Balsa tries to draw the user's attention to the following cases when replying to an at least partially encrypted message: (1) The user replies to an encrypted message with a single text part. In this case, a dialogue is shown reminding the user that the cited text in the reply has been decrypted, and that due care should be taken not to leak sensitive information and/or to encrypt the reply. As this warning might be annoying, the user may switch it off. (2) The user replies to a fully encrypted message with multiple text parts. The usual dialogue for selecting parts for citation is shown. All decrypted (i.e. all in this case) parts are marked, and the message as of #1 is added to the dialogue label. (3) The user replies to a message containing both encrypted and unencrypted text parts. The selection dialogue as in #2 is shown. It includes a warning that the original message /might/ be an attack. All decrypted parts are deselected, i.e. the user must explicitly select them for inclusion in the reply. Additionally, in the dialogue as of #2 and #3, I replaced the MIME type in the description by the human-readable translation reported by libbalsa_vfs_content_description(). Unfortunately, a set of proof-of-concept test messages is not yet publicly available, but at least some basic test messages can be produced easily, e.g by forwarding a encrypted message to yourself as attachment, etc. As always, any comment is welcome! Cheers, Albrecht. [1] <https://arxiv.org/ftp/arxiv/papers/1904/1904.07550.pdf> [2] <https://efail.de/> [3] <https://github.com/RUB-NDS/Johnny-You-Are-Fired> --- Patch details: - src/balsa-app.h: add flag whether the user wants to be warned when replying to an encrypted message - src/save-restore.c: * save/restore new flag * add reply selection dialogue to geometry manager - src/sendmsg-window.c: * tree_add_quote_body(): refactoring, add information whether the part has been decrypted * scan_bodies(): use new tree_add_quote_body(), propagate information about encrypted containers * unselect_decrypted(): new function for deselecting all decrypted parts in the dialogue for selecting cited parts * quote_parts_select_dlg(): add message when replying to a fully or partially encrypted message, use geometry manager * show_decrypted_warning(): show dialogue when the user replies to a single-part decrypted message * collect_for_quote(): use new scan_bodies() api
Attachment:
fix-re-whats-up-johnny.diff.bz2
Description: application/bzip
Attachment:
pgpczZpENvkId.pgp
Description: PGP signature