Out of 20 Email Clients Tested, 14 Were Vulnerable to OpenPGP Signature Spoofing Attacks
Researchers have found that encrypted emails are not always as secure as we might think. From more than two dozen popular encrypted email clients, they found that the majority are vulnerable to one or more signature spoofing attacks.
Good cryptography is nearly impossible to break with contemporary commercial computers — so attackers don’t often attempt to. Instead, they attack the implementation and use of cryptography, where the weaknesses are more often found. This is especially true for email, where the implementation of encrypted emails is particularly challenging.
Researchers from the Ruhr University Bochum and Munster University of Applied Sciences have investigated (PDF) the implementation of the two major email encryption standards, OpenPGP and S/MIME, and have found them largely wanting. While the use of encrypted emails is not widespread, wherever it is used is likely to secure valuable or particularly sensitive content. So, it is disturbing that the researchers found flaws in the design of many leading secure email clients. Fourteen out of 20 tested OpenPGP-capable clients, and 15 out of 22 clients supporting S/MIME were susceptible to digital signature spoofing.
For both OpenPGP and S/MIME, the user signature that ensures end-to-end authenticity is bound to the user. S/MIME uses certificates issued by certificate authorities. The original PGP Web of Trust approach has in some cases been supplanted by proprietary trust models, such as OpenKeychain, R2Mail2, and Horde/IMP. In both cases the researchers found ways to spoof the user signature.
Five separate classes of attack are described: CMS attacks, GnuPG API attacks, MIME attacks, ID attacks, and UI attacks. The attack model requires only that the attacker can spoof email from one of the parties concerned, and that the attacker has a single S/MIME or OpenPGP signature for that party. Neither of these is difficult. For the ID class of attacks, it is also assumes that the target trusts the attacker’s signature; which is easy for S/MIME but might require some social engineering for OpenPGP.
The effects of the attacks have one of three outcomes: perfect signature forgery (where there is no indication of any problem); partial forgery (where the presentation is only identical at the first user interaction; and weak forgery (where not all elements of a valid forgery are present, and the user could potentially spot the forgery).
The CMS attacks take advantage of the inherent complexity of CMS within S/MIME. One attack is dubbed eContent Confusion. The CMS object contains the sender’s signature, and may or may not also contain the encrypted content (eContent) of the message. If there is no eContent, the client knows it will be provided by other means; ie, a separate MIME part. If the eContent field is present even though the multipart mechanism is used, it can lead to confusion. This can result, say the researchers, in “perfect forgeries of arbitrary signed emails for a person from which we already have a signed email.”
Thunderbird, Postbox, MailMate, and iOS Mail are vulnerable to eContent confusion attacks.
Complexity also lies at the heart of the GnuPG (GPG — a stand-alone implementation of OpenPGP) attacks. GPG provides a command-line interface with about 380 options and commands. which “provides a rich attack surface”. The researchers concentrated on injection attacks, particularly through the use of logging messages where some applications using GPG conflate the status API and the logging messages by using the same data channel stdout for both. It is possible for the attacker to spoof the status lines entirely and provide arbitrary data to the application, including forged indications of a successful signature validation for arbitrary public keys.
One example of the MIME attacks can occur when the original part of a multipart HTML S/MIME message is simply commented out. If the email client renders both parts in a single HTML document, then the signed part can be commented out with HTML comments, or embedded within and hidden by HTML tags, or even wrapped within CSS properties. The result is a perfect forgery.
Five PGP email clients, including Thunderbird and Apple Mail, are vulnerable to this attack.
The ID attack class is less powerful than the others, since signs of manipulation are often visible. A simple example would work where there is a lack of binding between the user ID from the signature and the address given in the FROM header. Under these circumstances, an attacker could sign and send an email to the target, but spoof the header to appear is if were coming from a different sender.
UI attacks exploit the presentation of the signature verification results to the user. Some clients display this within the email content, which is under the control of the attacker. The researchers provide an example of such a spoofed email in Roundcube — it simply inserts and mimics the “Verified signature from…” statement.
Five of the tested PGP clients and four S/MIME clients display the status of signatures within the email body. “Another seven PGP clients and nine S/MIME clients,” say the researchers, “show the results of signature verification in, or very close to, the email body and could be attacked with limitations (causing weak forgeries).”
The results of the investigation suggest a poor performance from the PGP and S/MIME ecosystem. “For ten OpenPGP capable clients and seven clients supporting S/MIME,” say the researchers, “we could spoof visually indistinguishable signatures on all UI levels (resulting in perfect forgeries).” None of these attacks exploit the underlying cryptography, but all can be used to spoof the signatures.
All the discovered attacks have been reported to the vendors, with the researchers’ advice on appropriate remedies.