Blog post about CCCamp '19, and EFail


#1

Hello Mailpile!

I recently made some interesting security-related changes to how Mailpile decrypts mail, to reduce the odds EFail social engineering attacks will succeed.

I wrote a blog post about the changes here: https://www.mailpile.is/blog/2019-08-31_CCCamp_EFail.html

Comments are welcome.


#2

Instead of “guessing” what looks suspicious, my first approach would be to just disable auto quoting in replies. When anybody wants to quote a specific part, they can still do it. But all the bloating with previous messages which you see in your message thread anyways is not up-to-date anyways.

This approach would not avoid decryption of the suspicious message but would avoid sending it back and thus disclosing. As long as your system is safe, you won’t disclose any information.


The real fix would need modification of PGP standard: Adding a hash/signature of the unencrypted content before encryption (and encrypting it along with the raw content). This would also not avoid decryption of the suspicious message, but would allow to reliably detect such an attempt. Again, as long as the system running the decryption is safe, no information would be disclosed.


#3

That’s fair, and that is how I was thinking about this before Camp. Me from two weeks ago would have agreed… but today I feel differently.

The key insight at camp, was that although PGP/MIME allows for a lot of complexity, and supporting inline PGP potentially adds even more, the diversity of “legitimate” message structures seen in the wild is actually very limited; unusual structures are extremely rare, which means we can be quite conservative (and thus safe) about what we decrypt, while still maintaining broad compatibility with existing OpenPGP encrypted mail.

Changing the UI as you describe is much, much more work and is also dumping a bunch of work on the user for every single mail they compose (reviewing and considering what gets quoted). Which is why I hadn’t implemented it ages ago, in spite of mulling this problem over for quite some time.

Thanks for sharing your thoughts!


#4

I didn’t look into the code before, but it took me about 5 mins to find the corresponding changes needed to implement my proposal of disabling auto-quotation: mailpile/plugins/compose.py delete lines 494-505.

For the selective quoting, I would suggest a behavior similar to Gmail, Discourse etc.: When you select some part of the text and click the Reply button, this is the part which gets quoted. This should be implemented as a javascript function and would not need any backend modification. These changes would probably go into shared-data/default-theme/html/jsapi/compose/body.js, events.js[L304-322].


#5

Great! Since you see a clear path forward here, please feel free to send a PR when you have something working. Better control over quoting would be a very nice feature to have! If you have any questions about how to take this further, feel free to discuss on IRC. The more we chat about how you approach this, the more likely it is that I can merge your work.

But beyond providing advice and guidance, I can’t help you implement this. The high priority security issue is IMO resolved and other things need my attention.