[Gpg4win-devel] efail -> improvements

Bernhard Reiter bernhard at intevation.de
Tue May 15 12:47:38 CEST 2018


Am Dienstag 15 Mai 2018 10:07:58 schrieb Andre Heinecke:
> > >  c) a signature over the whole contents from someone where it has been
> > >     encrypted to (if this is feasable to detect).

As just outlined on gnupg-devel@: it maybe enough if the hash property
of the signature is used as message integrity checking.

> > We should change all Gpg4win frontends (like GpgOL, Kleo, GpgEX, GPA)
> > to honor the warnings and error messages that GnuPG already shows.
>
> We use GPGME and GPGME honors GnuPG's warnings and error messages. To be
> honest I didn't really know about the importance of MDC when implementing
> decryption in GpgOL. But this shows again that as a frontend developer
> using GPGME makes it easy to stay secure as it just "does the right thing".

The point is to recheck that we do not display anything.
(It is likely that this is already like it should be cause of the use of 
GPGME.)

> For Outlook 2007 and 2003 I think that the Problem is that back then GPGME
> was not used and the MDC Error got lost in communication through the middle
> man. (GPA / Kleopatra)

We'd probably take the opportunity to disable the old support for Outlook 
2007, 2003 now (as was already planned, deprecated and announced).

> Please note that file encryption (Kleo or GPA) efail is not an issue and
> GpgEX does only call Kleo or GPA.

Talking to Andre, we do believe that file decryption is also an issue.
Our idea right now is to by default only display data or save a file if there 
was an integrity protection. For S/MIME we have to use c) as outlined about 
and explained in more detail on gnupg-devel at .

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-devel/attachments/20180515/be37bc0d/attachment.asc>


More information about the Gpg4win-devel mailing list