[Security Patch] mitigate “Re: What's Up Johnny?” vulnerabilities



Hi all,

attached is a patch to mitigate the effects of the “Re: What's Up Johnny?” attacks on email end-to-end 
encryption as described in the draft paper [1].

Like the EFail [2] and “Johnny, you are fired!” [3] attacks, carefully crafted messages creatively using 
legitimate MIME and HTML features can be used to deceive the user regarding the actual message content: the 
attacker includes intercepted encrypted message parts which were originally sent to a different recipient 
(and which the attacker cannot decrypt).  Iff such message parts are decrypted in background, and the user 
replies to the attacker, the decrypted plaintext /may/ be included in the reply.

Balsa will include “silently” decrypted message parts in a reply in the following cases:
- multipart/mixed, first part is a text/html, and any other part contains an encrypted RFC 4880 block;
- multipart/report, first part is a text/*, and a message/rfc822 with encrypted contents is attached;
- multipart/mixed, first part is a text/html with CID references to an other part, containing an encrypted 
RFC 4880 block.

Note that Balsa is *not* vulnerable by other HTML attacks described in the paper, as we do not automatically 
load or post data from/to external sources.

With this patch, Balsa tries to draw the user's attention to the following cases when replying to an at least 
partially encrypted message:

(1) The user replies to an encrypted message with a single text part.
In this case, a dialogue is shown reminding the user that the cited text in the reply has been decrypted, and 
that due care should be taken not to leak sensitive information and/or to encrypt the reply.  As this warning 
might be annoying, the user may switch it off.

(2) The user replies to a fully encrypted message with multiple text parts.
The usual dialogue for selecting parts for citation is shown.  All decrypted (i.e. all in this case) parts 
are marked, and the message as of #1 is added to the dialogue label.

(3) The user replies to a message containing both encrypted and unencrypted text parts.
The selection dialogue as in #2 is shown.  It includes a warning that the original message /might/ be an 
attack.  All decrypted parts are deselected, i.e. the user must explicitly select them for inclusion in the 
reply.

Additionally, in the dialogue as of #2 and #3, I replaced the MIME type in the description by the 
human-readable translation reported by libbalsa_vfs_content_description().

Unfortunately, a set of proof-of-concept test messages is not yet publicly available, but at least some basic 
test messages can be produced easily, e.g by forwarding a encrypted message to yourself as attachment, etc.

As always, any comment is welcome!

Cheers,
Albrecht.

[1] <https://arxiv.org/ftp/arxiv/papers/1904/1904.07550.pdf>
[2] <https://efail.de/>
[3] <https://github.com/RUB-NDS/Johnny-You-Are-Fired>

---
Patch details:
- src/balsa-app.h: add flag whether the user wants to be warned when replying to an encrypted message
- src/save-restore.c:
  * save/restore new flag
  * add reply selection dialogue to geometry manager
- src/sendmsg-window.c:
  * tree_add_quote_body(): refactoring, add information whether the part has been decrypted
  * scan_bodies(): use new tree_add_quote_body(), propagate information about encrypted containers
  * unselect_decrypted(): new function for deselecting all decrypted parts in the dialogue for selecting 
cited parts
  * quote_parts_select_dlg(): add message when replying to a fully or partially encrypted message, use 
geometry manager
  * show_decrypted_warning(): show dialogue when the user replies to a single-part decrypted message
  * collect_for_quote(): use new scan_bodies() api

Attachment: fix-re-whats-up-johnny.diff.bz2
Description: application/bzip

Attachment: pgpczZpENvkId.pgp
Description: PGP signature



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]