Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/5/2018
02:30 PM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

'EFAIL' Is Why We Cant Have Golden Keys

A deep dive into the issues surrounding an HTML email attack.

There's a newly announced set of issues labeled the "EFAIL encryption flaw" that reduces the security of PGP and S/MIME emails. Some of the issues are about HTML email parsing, others are about the use of CBC encryption. All show how hard it is to engineer secure systems, especially when those systems are composed of many components that had disparate design goals.

According to the announcement from the EFAIL website:

In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.

Let's take a closer look at the HTML issues, because they're easier to understand, and because they're system issues, not crypto issues. The way the HTML attack works is that there are three parts to an email. The first is an HTML image tag with an opening quote but no closing quote. The second is the encrypted message, and the third is a close for the image tag. The Web display engine incorporated into some email clients assembles all of this into an HTML page, and in doing so sends the decrypted email to a server under the control of an attacker.

This is all pretty good stuff. It's not an attack on PGP or S/MIME but, rather, on the system in which those are embedded. (The CBC mode crypto is an attack on S/MIME.) There are reasons to be skeptical of the design or usability of PGP, and this attack bypasses all of them. PGP is designed conservatively, because the folks writing the code knew it would be attacked. PGP takes care to check inputs for reasonableness in all sorts of ways. In contrast, HTML parsers are designed to work when programmed by drunken idiots reading documents translated into Slovenian then French and displayed using the blink tag. It takes the robustness principle ("Be conservative in what you send, and liberal in what you accept.") to extreme lengths. And so the IMG tag issue at the heart of EFAIL is the HTML parser saying, "OK, here's the end of that URL! I better ask for it now!"

This makes for a great deal of robustness. You might think the alternative would be "someone should just look at the darn Web page and make sure it doesn't end with an error." That sounds great, but in the great Netscape-Internet Explorer war, when browsers were being coded and released competitively, the ability to parse more pages was a major competitive advantage. Moreover, today, a page working in IE on Windows is no guarantee that it will work on Safari on an iPhone. Robust, liberal parsing is part of why the Web has taken over the world, including email display. (Advertising and tracking is another part, but that's for another essay.) You might also think that we should have stricter parsing modes for HTML so that we could say "don't let this happen." HTML parsing is already complex, and a new, more conservative mode would multiply the complexity of the code.

Let's bring this around to Ray Ozzie's risky proposal, "Clear," and golden key proposals more generally. Each involves some highly sensitive code, and we want that code to be robust. Whatever the design of the golden key system happens to be, it's going to be embedded in complex systems. It's going to be dependent on many complex things. (Ozzie's proposal glibly involves video processing inside the trusted computing base.)

So, will the system be robust (secure in its availability property), or resistant to attack (secure in its confidentiality property)? We might want both, but as EFAIL shows us, we don't know how to engineer for both. Consequently, we need to keep our security systems as simple as we possibly can, so they can possibly work.

Related Content:

Adam is a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps organizations improve their security via Shostack & Associates, and advises startups ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9008
PUBLISHED: 2020-02-25
Stored Cross-site scripting (XSS) vulnerability in Blackboard Learn/PeopleTool v9.1 allows users to inject arbitrary web script via the Tile widget in the People Tool profile editor.
CVE-2020-9018
PUBLISHED: 2020-02-25
LiteCart through 2.2.1 allows admin/?app=users&doc=edit_user CSRF to add a user.
CVE-2020-9019
PUBLISHED: 2020-02-25
The WPJobBoard plugin 5.5.3 for WordPress allows Persistent XSS via the Add Job form, as demonstrated by title and Description.
CVE-2020-9391
PUBLISHED: 2020-02-25
An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcde237319e6. This has been ...
CVE-2020-8793
PUBLISHED: 2020-02-25
OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g., on some Linux distributions) because of a combination of an untrusted search path in makemap.c and race conditions in the offline functionality in smtpd.c.