Page MenuHome GnuPG

GpgOL: Handle incompatible addins better
Open, HighPublic

Description

Since most support issues related to GpgOL are linked to add-ins, particularly Symantec and anti-virus add-ins. We should improve how we handle these situations, as this can lead to plaintext leaks in the worst-case scenario.

It is essential that we clearly communicate that all other add-ins have the same access to plaintext as stated on our website at https://gnupg.com/vsd/security.html.

However, there is no clear definition of what third-party software may be installed on a VS-NfD compliant system. Therefore, it is crucial to raise awareness that end-to-end encryption can be bypassed if add-ins are installed and
then send decrypted contents to the cloud for analysis. Anti-virus software has access to attachments before they are opened since they are extracted as files. So in my opinion, having them run in the UI thread of Outlook, where they can block and significantly reduce the UX, is not necessary.

The workaround dd3ff8397aaf62e58fa9405ddc5397cb6bcfdc29 was implemented to resolve a plaintext leak caused by one add-in/configuration combination, but it caused new issues T6676: GgpOL: Signed Mails from Filesystem are modified when opened. And there is no guarantee that a change / update in a third pary addin might change the behavior again.

In my opinion, it would be best to clearly communicate that GpgOL might not work correctly with these add-ins installed. In that case it would be better for security to disable GpgOL altogether so that users must use unencrypted mails with encrypted attachments. A message box could be displayed:

"GpgOL has detected the incompatible addin XY". This can cause stability and security issues that are outside of our control.

Keeping both enabled increases the risk of plaintext leaks or stability problems and is not recommended."

[Disable GpgOL] [Disable XY] [Keep both enabled]

Additionally, a registry key could be created to disable this warning for environments with centralized administration. Assuming these environments have the necessary expertise to make informed decisions about their add-in configurations.