[Users] FYI: PGP-encrypted email Warning

Slavko linux at slavino.sk
Mon May 14 12:47:04 CEST 2018


Hi,

Dňa Mon, 14 May 2018 10:38:08 +0200 Ricardo Mones <ricardo at mones.org>
napísal:

> On Mon, May 14, 2018 at 02:34:39AM -0400, Charles A Edwards wrote:
> > 
> > https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now  
> 
> Don't let the dramatic hollywoodesque style of some researchers to
> confuse you:
> 
> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
> 

the discussion continues, eg. here 
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060323.html
is stated that:

"
GnuPG will warn you the message was not integrity protected.
Your email client should see this warning and refuse to render the
message."

I tried commands to produce message without integrity check, provided
on this link and result is, that CM ignores mentioned warning and shows
me decrypted content of the message (at least for PGP/Inline). Is it OK?

CM displays message and warning is lost at all (at least i was not
able to find it)... But the RFC 4880 says:

   Any failure of the MDC indicates that the message has been modified
   and MUST be treated as a security problem.  Failures include a
   difference in the hash values, but also the absence of an MDC packet,
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^
   or an MDC packet in any position other than the end of the plaintext.
   Any failure SHOULD be reported to the user.
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Or i miss something?

-----

If someone want to try it itself (or to correct me), here are commands
which i used (i have local mailserver, but anyone can paste produced
output to MUA and post it):

echo ahoj | gpg --armor --recipient your at email --cipher-algo 3DES
--disable-mdc --encrypt --sign | mail your at email

Mail was sent and gpg produces warning:

gpg: WARNING: encrypting without integrity protection is dangerous

Decrypting produces warnings too (simple replace "mail XY" with "gpg"
in last piped command):

gpg: WARNING: message was not integrity protected

regards

-- 
Slavko
http://slavino.sk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 506 bytes
Desc: Digitálny podpis OpenPGP
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20180514/0b37378e/attachment.sig>


More information about the Users mailing list