[Users] FYI: PGP-encrypted email Warning
linux at slavino.sk
Mon May 14 12:47:04 CEST 2018
Dňa Mon, 14 May 2018 10:38:08 +0200 Ricardo Mones <ricardo at mones.org>
> On Mon, May 14, 2018 at 02:34:39AM -0400, Charles A Edwards wrote:
> > https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
> Don't let the dramatic hollywoodesque style of some researchers to
> confuse you:
the discussion continues, eg. here
is stated that:
GnuPG will warn you the message was not integrity protected.
Your email client should see this warning and refuse to render the
I tried commands to produce message without integrity check, provided
on this link and result is, that CM ignores mentioned warning and shows
me decrypted content of the message (at least for PGP/Inline). Is it OK?
CM displays message and warning is lost at all (at least i was not
able to find it)... But the RFC 4880 says:
Any failure of the MDC indicates that the message has been modified
and MUST be treated as a security problem. Failures include a
difference in the hash values, but also the absence of an MDC packet,
or an MDC packet in any position other than the end of the plaintext.
Any failure SHOULD be reported to the user.
Or i miss something?
If someone want to try it itself (or to correct me), here are commands
which i used (i have local mailserver, but anyone can paste produced
output to MUA and post it):
echo ahoj | gpg --armor --recipient your at email --cipher-algo 3DES
--disable-mdc --encrypt --sign | mail your at email
Mail was sent and gpg produces warning:
gpg: WARNING: encrypting without integrity protection is dangerous
Decrypting produces warnings too (simple replace "mail XY" with "gpg"
in last piped command):
gpg: WARNING: message was not integrity protected
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 506 bytes
Desc: Digitálny podpis OpenPGP
More information about the Users