[Gpg4win-devel] [gpg4win-Bugs][6470] Privacy Leak in Version: and Comment: header

noreply at wald.intevation.org noreply at wald.intevation.org
Sun Nov 24 18:07:25 CET 2013 

Bugs item #6470, was opened at 2013-11-24 17:07 by Fabio Pietrosanti (naif)
You can respond by visiting: 
https://wald.intevation.org/tracker/?func=detail&atid=126&aid=6470&group_id=11

Status: Open
Priority: 3
Submitted By: Fabio Pietrosanti (naif) (naif)
Assigned to: Nobody (None)
Summary: Privacy Leak in Version: and Comment: header 
Hardware: None
Product: Gpg4win Compendium
Operating System: All
Component: None
Version: None
Severity: None
Resolution: None
URL: 


Initial Comment:
It has been noted that there are some quite important privacy leak in the
OpenPGP "Version:" and "Comment:" that contain usually very sensitive
information regarding the software version used.

In the NSA XKEYSCORE's ages, those kind of information does provide a very
important weakness.

The Adversary capable of massively monitoring communications, profiling who
encrypt their email communications, can profile the exact version of encryption
software used waiting for a vulnerability to be found.

When a vulnerability is found for the exact version of the encryption software
used, the adversary can exploit the "exposure window" by having a prior
knowledge of the end-point encryption software weakness.

This ticket is to improve GPG4Win not to permit, by default, to insert any kind of
"Version:" and "Comment:" headers, unless the end-user explicitly require to do
so with a command line argument or a configuration line.

The same privacy leak issue has been reported on:
GnuPG ticketing system https://bugs.g10code.com/gnupg/issue1572 
Enigmail https://sourceforge.net/p/enigmail/bugs/215/ 
GPGTools http://support.gpgtools.org/discussions/everything/13667-privacy-leak-in-version-and-comment-header
Outlook Privacy Plugin https://code.google.com/p/outlook-privacy-plugin/issues/detail?id=124

Discussed on liberationtech mailing list https://mailman.stanford.edu/pipermail/liberationtech/2013-November/012239.html


----------------------------------------------------------------------

You can respond by visiting: 
https://wald.intevation.org/tracker/?func=detail&atid=126&aid=6470&group_id=11

More information about the Gpg4win-devel mailing list