Page MenuHome GnuPG
Create Task
Maniphest T1572

Privacy Leak in Version: and Comment: header
Closed, ResolvedPublic
Actions

Description

It has been noted that there are some quite important privacy leak in the
OpenPGP "Version:" and "Comment:" that contain usually very sensitive
information regarding the software version used.

In the NSA XKEYSCORE's ages, those kind of information does provide a very
important weakness.
The Adversary capable of massively monitoring communications, profiling who
encrypt their email communications, can profile the exact version of encryption
software used waiting for a vulnerability to be found.
When a vulnerability is found for the exact version of the encryption software
used, the adversary can exploit the "exposure window" by having a prior
knowledge of the end-point encryption software weakness.

This ticket is to improve GnuPG not to permit, by default, to insert any kind of
"Version:" and "Comment:" headers, unless the end-user explicitly require to do
so with a command line argument or a configuration line.

Event Timeline

naif added projects: gnupg, Bug Report.Nov 24 2013, 5:45 PM
naif added a subscriber: naif.
naif added a comment.Nov 24 2013, 5:49 PM

This issue has been reported also on Enigmail
https://sourceforge.net/p/enigmail/bugs/215/

naif added a comment.Nov 24 2013, 5:54 PM

A discussion on this issue started on liberationtech mailing list on
https://mailman.stanford.edu/pipermail/liberationtech/2013-November/012239.html

naif added a comment.Nov 24 2013, 6:01 PM

Added GPGtools ticket
http://support.gpgtools.org/discussions/everything/13667-privacy-leak-in-version-and-comment-header

werner added a subscriber: werner.Nov 26 2013, 9:15 PM

Yeah, that it is a very old discussion on whether versions numbers are good or
bade security wise. IIRC, we had such a discussion again on the GnuPG users
list a few month before the snow.

Distinguishing between GnuPG-1 and GnuPG-2 would still be useful so to see
whether 1 is still in use. Dropping the exact version number and the OS is fine
with me.

gpg can't do anything about permitting - the user may do what s/he wants. Using
sed is actually a fine way to insert whatever one likes and that is nothing
can't gpg can avoid.

werner added a comment.Nov 27 2013, 11:05 AM

The new default is now

  Version: GnuPG v1

with --emit-version you can add more info and with --no-emit-version the version
line is removed as before. Pushed to all branches. A new 1.4 release is due
next month.

werner closed this task as Resolved.Nov 27 2013, 11:05 AM
werner claimed this task.
naif reopened this task as Open.Nov 27 2013, 12:04 PM

Would it possible also to provide a switch to prevent/filter out the adding of
"Comment:" header by default?

As i did notice that all software using GnuPG add a "Comment:" version with
additional "version leak" (such as EnigMail, MacGPG, etc).

I think that would be valuable if GnuPG would, by default, filter out the
"Comment:" header unless a specific command line switch is enabled.

A Default that does not allow "Comment:" by default.

A command line switch, like --enable-comment-header, to enable it.

That way, most of the software integrating GnuPG, when upgrading will need to
manage this condition and, by default, they will not leak additional information
in the "Comment:" header.

What do you think=

werner added a comment.Nov 27 2013, 3:49 PM

There is no comment header by default. Adding an extra option to disable it
does not make much sense - if application authors want them you need to convince
them. They are sometimes even used to convey meta information and thus a change
here would break some applications.

naif added a comment.Nov 27 2013, 3:55 PM

Hi Werner,

thanks! So, for GnuPG "Version:" we are ok.

I'm going to push forward the other application authors to disable the Comment:
field, at least removing the version information.

werner closed this task as Resolved.Nov 28 2013, 5:44 PM