Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/5/2018
02:30 PM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

'EFAIL' Is Why We Cant Have Golden Keys

A deep dive into the issues surrounding an HTML email attack.

There's a newly announced set of issues labeled the "EFAIL encryption flaw" that reduces the security of PGP and S/MIME emails. Some of the issues are about HTML email parsing, others are about the use of CBC encryption. All show how hard it is to engineer secure systems, especially when those systems are composed of many components that had disparate design goals.

According to the announcement from the EFAIL website:

In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.

Let's take a closer look at the HTML issues, because they're easier to understand, and because they're system issues, not crypto issues. The way the HTML attack works is that there are three parts to an email. The first is an HTML image tag with an opening quote but no closing quote. The second is the encrypted message, and the third is a close for the image tag. The Web display engine incorporated into some email clients assembles all of this into an HTML page, and in doing so sends the decrypted email to a server under the control of an attacker.

This is all pretty good stuff. It's not an attack on PGP or S/MIME but, rather, on the system in which those are embedded. (The CBC mode crypto is an attack on S/MIME.) There are reasons to be skeptical of the design or usability of PGP, and this attack bypasses all of them. PGP is designed conservatively, because the folks writing the code knew it would be attacked. PGP takes care to check inputs for reasonableness in all sorts of ways. In contrast, HTML parsers are designed to work when programmed by drunken idiots reading documents translated into Slovenian then French and displayed using the blink tag. It takes the robustness principle ("Be conservative in what you send, and liberal in what you accept.") to extreme lengths. And so the IMG tag issue at the heart of EFAIL is the HTML parser saying, "OK, here's the end of that URL! I better ask for it now!"

This makes for a great deal of robustness. You might think the alternative would be "someone should just look at the darn Web page and make sure it doesn't end with an error." That sounds great, but in the great Netscape-Internet Explorer war, when browsers were being coded and released competitively, the ability to parse more pages was a major competitive advantage. Moreover, today, a page working in IE on Windows is no guarantee that it will work on Safari on an iPhone. Robust, liberal parsing is part of why the Web has taken over the world, including email display. (Advertising and tracking is another part, but that's for another essay.) You might also think that we should have stricter parsing modes for HTML so that we could say "don't let this happen." HTML parsing is already complex, and a new, more conservative mode would multiply the complexity of the code.

Let's bring this around to Ray Ozzie's risky proposal, "Clear," and golden key proposals more generally. Each involves some highly sensitive code, and we want that code to be robust. Whatever the design of the golden key system happens to be, it's going to be embedded in complex systems. It's going to be dependent on many complex things. (Ozzie's proposal glibly involves video processing inside the trusted computing base.)

So, will the system be robust (secure in its availability property), or resistant to attack (secure in its confidentiality property)? We might want both, but as EFAIL shows us, we don't know how to engineer for both. Consequently, we need to keep our security systems as simple as we possibly can, so they can possibly work.

Related Content:

Adam is a leading expert on threat modeling. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29128
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
CVE-2020-27251
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVE-2020-27253
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.
CVE-2020-27255
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the b...
CVE-2020-25651
PUBLISHED: 2020-11-26
A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest...