Message security

[alejandro-colomar]

Date: Sat, 30 Mar 2024 12:22:13 +0100
From: Alejandro Colomar <alx@kernel.es>                                      *10
Reply-To: evil@example.com                                                   *10
To: alx@kernel.es
Cc: bob@example.com                                                          *10
Subject: ...                                                                 *17

[-- Begin encryption information --]                                                 \
Recipient: RSA key, ID 1234123412341234                                              |
Recipient: RSA key, ID 5678567856785678                                              }-----  *19 Hide: $crypt_encryption_info = no
Recipient: RSA key, ID 0000000000000000                                      *07     |
[-- End encryption information --]                                                   /

[-- Warning: owner of RSA key, ID 1234123412341234 is not a recepient --]    *01
[-- Warning: recipient <bob@example.com> cannot decrypt the message --]      *02

[-- Begin signature information --]
Good signature from: Alejandro Colomar <alx@alejandro-colomar.es>
                aka: Alejandro Colomar <alx@kernel.org>
                aka: Alejandro Colomar Andres <alx.manpages@gmail.com>
            created: Sat Mar 30 12:22:13 2024
[-- End signature information --]

[-- Warning: the header field 'In-Reply-To' has been tampered with --]       *11
[-- Warning: the header field 'Mail-Followup-To' has been tampered with --]
[-- Warning: the header field 'Reply-To' has been tampered with --]
[-- Warning: the header field 'Sender' has been tampered with --]
[-- Warning: the header field 'To' has been tampered with --]
[-- Warning: the header field 'X-Original-To' has been tampered with --]

[-- The following data is PGP/MIME signed and encrypted --]                  *03, *14
From: Alejandro Colomar <alx@kernel.es>                                      *08     \    \
Sender: foo@foo.com                                                                  |    |
Reply-To: foo@foo.com                                                                }----|---- *06, *20 Weed: weed && &crypt_protected_headers_weed = yes
Mail-Followup-To: foo@foo.com                                                        |    |
X-Original-To: foo@foo.com                                                           |    |
To: foo@foo.com                                                                      |    |
Cc: bob@example.com                                                                  |    }----  *05 Hide: $crypt_protected_headers_read = no
Subject: Foo                                                                 *17     |    |
In-Reply-To: <sdfgdsfgh@sdzgvadsfg>                                          *09     /    |
                                                                             *04          /
Body body
body body body
body
[-- End of PGP/MIME signed and encrypted data --]                            *03

Overview

This is a list of existing security features of NeoMutt and a large number of proposed improvements.

NeoMutt can sign and/or encrypt emails.
While this adds security to the message, the headers could be tampered with.
Many of the ideas below help to protect against this, or highlight when it happens.

Developers: Some of them already have proofs-of-concept that you can try out.

There's a lot to take in.
Feel free to ask lots of questions and let us know your thoughts.

Thanks! ❤️

Existing Feature

*17 Hidden Subject

When NeoMutt encrypts an email, it has a feature to hide the Subject:.
The headers will contain, say: Subject: ... and the real subject will be put in the encrypted body.

This makes it harder for eavesdroppers to follow a conversation.

See also *08

This feature is controlled by the config:

# Display protected headers (Memory Hole) in the pager
set crypt_protected_headers_read    = yes
# Save the cleartext Subject with the headers
set crypt_protected_headers_save    = no
# Use this as the subject for encrypted emails
set crypt_protected_headers_subject = "..."
# Generate protected header (Memory Hole) for signed and encrypted emails
set crypt_protected_headers_write   = yes

*05 Toggle showing protected fields

When NeoMutt receives a message with protected headers, it has a configuration variable to hide them.

This helps reduce the noise of duplicated header fields, since in most cases, messages will be legitimate.

This feature is controlled by the config:

# Display protected headers (Memory Hole) in the pager
set crypt_protected_headers_read    = yes

Proposed Features

*19 Encryption Info Block

Pull Request: #4221

Add a block of information to the Pager showing all the encryption recipients.

Recipient: RSA key, ID 5678567856785678

Currently, this shows a list of encryption sub-keys.
These sub-keys are unique and can be used to look up the user's main key, but they aren't immediately recognisable.

Future improvements:

• Use the sub-key to lookup the main key
• Use the main key to lookup the user's name and email address

(these steps haven't been tested)

This feature is controlled by the config:

set crypt_encryption_info = no

*01 Encryption Key/Recipient Check

This would depend on *19 and looking up the user's email address

Warn the user when an encryption recipient isn't in one of the address fields.

[-- Warning: owner of RSA key, ID 1234123412341234 is not a recepient --]

Looking up the user's real name / email address could be slow (untested).

*02Encryption Recipient/Key Check

This would depend on *19 and looking up the user's email address

Warn the user when a recipient of the email doesn't have a matching encryption key.

[-- Warning: recipient <bob@example.com> cannot decrypt the message --]

Looking up the user's real name / email address could be slow (untested).

*03 Remove Padding Lines

Confirmed: See devel/security #4243, #4255

Don't display padding around the message, in the Pager.

NeoMutt prints a blank line before and after the message body.
Remove them, so that what's displayed matches what's signed/encrypted.

[-- The following data is PGP/MIME signed --]

Body body
body body body
body

[-- End of PGP/MIME signed data --]

*04 Force Blank Line After Mime Header

Confirmed: See devel/security #4247, #4255

The Mime header block can contain zero or more fields.
However many fields there are (even zero), they are always followed by a blank line.

This means the user can distinguish between fields that are hidden and zero fields.

[-- The following data is PGP/MIME signed --]
Subject: Foo

Body body
body body body
body
[-- End of PGP/MIME signed data --]

*20 Weeding the Crypto Headers

Optionally hide some of the protected headers.

NeoMutt performs "weeding" (filtering) on the email headers.
The ignore and unignore commands tell NeoMutt which to hide or show.

These currently affect protected headers as well.
We could add a configuration variable to not do that by default, while still allowing to weed them.
This feature would be controlled by,

set crypt_protected_headers_weed = yes

*07 Hide Bcc

Encrypting to a Bcc should use a "hidden recipient".

When gpg encrypts, it can embed the key fingerprint in the text.
Anyone who has the encrypted text, can tell who it's encrypted to.

Recipient: RSA key, ID 1234123412341234

If you send an email To: Jim and Bcc: Bob, then Jim can infer that Bob received the email too.

By telling gpg to use 'hidden recipients', then key isn't visible.
This is an improvement, but Jim will still know that there's another recipient.

A more thorough solution, and much more work, would be to have NeoMutt send a separate email to each of the Bcc: list.

See also: *19 Encryption Info Block

*08 Protect Address Lists

Present in mutt(1) since 2.0.0:
See http://mutt.org/relnotes/2.0/
See https://gitlab.com/muttmua/mutt/raw/stable/UPDATING
See https://gitlab.com/muttmua/mutt/-/commit/82b5c697e935ffe40b833e150aa79fd3cb27a20c
See https://marc.info/?l=mutt-dev&m=171349491914691&w=2
See https://marc.info/?l=mutt-dev&m=171349804815814&w=2

(but mutt(1) doesn't protect all address lists; only the basic ones.)

Save a copy of any address lists, e.g. To:, Cc: in the signed/encrypted block.

The headers of an email aren't protected and could be altered by a malicious agent.
When you reply to an email, you can't be certain that everyone was really an intended recipient.

See also:

• *11 Warning on Tampering
• *20 Weeding the Crypto Headers

*09 Protect In-Reply-To

Save a copy of any the In-Reply-To: in the signed/encrypted block.

The In-Reply-To: field contains sensitive fields.
If an attacker were to alter them, it could mislead the recipient.

See also: *08 Protect Address Lists

*10 Use Protected Fields

Unprotected fields shouldn't be trusted when replying.

If an email's headers have been tampered with, it should still be possible to reply to the email using the protected values.

If the user has already been warned, then the correct values of the fields should be used.

Note: Until the message has been opened, it won't be possible to check for tampering.

The Index needs to display the protected values as soon as the Pager has read them.

*11 Warning on Tampering

Check the header fields against the protected copy in the signed/encrypted block.

Display a warning in the Pager:

[-- Warning: the header field 'Reply-To' has been tampered with --]

What should we do with this info?

Should we:

• Highlight the bad field in the headers?

• Leave the original header intact?
  (For the user to examine)

• Overwrite the header?
  Keep a Subject-Orig:?
  (So we can warn every time the email is read)

See also: *15 Colours

*13 Phishing Protection

Highlight email addresses that could be misleading.

See also: #4233 Phishing Protection

These two addresses are not the same, but in many fonts they look identical.

info@apple.com  plain ASCII
info@аррӏе.com  lower case cyrillic

Mark any addresses that aren't entirely ASCII with they're PunyCode equivalent.
Users can create a list of known safe addresses.

*14 Pager Navigation

These features could potentially add a lot of header information to an Email.

We want to encourage more people to use the features, but we don't want to get in the way of reading the email.

Currently, NeoMutt has functions, <skip-headers> and <skip-quoted>.
We could alter <skip-headers> to step between Mime blocks too.

The top of the screen displays:
e.g.

• Start: Envelope
• <skip-headers>: First Mime block
• <skip-headers>: Second Mime block (or no change)

See also: *16 Compact Display

*15 Colours

Use colour to highlight errors, warnings, or correct info.

Using gpgme is the preferred way to handle signing/encryption.
(set crypt_use_gpgme = yes)

It knows (so NeoMutt knows) when a signature is bad, etc.
Some old NeoMutt themes had regexes to match and colour "Good signature" / "Bad signature".

Should we create some colours for these common cases?

Currently, all the [-- ... --] type headers are coloured with color attachment.
Do we want a separate color crypto?

Vim has the ability to link colours together (NeoMutt doesn't, yet :-)
e.g.

highlight link Folded Comment

This might allow linking color crypto_warning to color warning, etc

*16 Compact Display

Display less information, without compromising security.

Most users will never see a forged email, but we still want them to enable these safety features.
This means making the displayed information very quick to parse visually, or very compact.

For a normal email, all the protected fields will be the same as the email header fields.
In this case, it makes sense not to show one of the sets.
If we hide the protected fields, we need a way to show that the header fields have been validated.

We could define some new colours for the various states: Valid, Unknown, Invalid.

Alternatively, NeoMutt already uses quite a few *_chars config options as flags.
This would allow custom text markers (e.g. using NerdFonts).

Or both!

[alejandro-colomar]

I haven't addressed *01 and *02, since I'm not sure we want them.

The following issues / PRs address *03:

• Spurious blank lines in pager #4242
• ncrypt/: Don't introduce spurious blank lines in protected blocks #4243

The following issues / PRs address *04:

• ncrypt/crypt.c: Print a blank before the body area even if the header area is empty #4247

The following issues / PRs address the weeding of protected header fields:

• Don't weed protected headers #4246 (superseeded)
• Cryptoweed; Add $crypt_protected_headers_weed #4249

The following issues / PRs address *06:

• crypt_protected_headers_write should be removed, or at least default to yes #4236
• Change $crypt_protected_headers_write default to 'yes' and then set it in stone (remove it) #4248
• $crypt_protected_headers_write: Change default to 'yes' #4256

The following issues / PRs address *07:

• BCC leakage in encrypted mail #4234
• I haven't yet written the code to hide the recipients. It'll be complex, and I prefer to merge other stuff first.

The following issues / PRs address *08:

• Should To and Cc header fields be protected? #4223
• Protect more header fields #4227

The following issues / PRs address *09:

• Should To and Cc header fields be protected? #4223
• Protect more header fields #4227

The following issues / PRs address *10, *11:

• We shouldn't trust unprotected header fields when replying #4237
• I'm not yet sure what to do here to solve it. Let's discuss that in the issue. *11 is a tentative and easy solution, I think. If that warning is emitted, we could also change behavior when replying.

The following issues / PRs implement *18:

• ncrypt/crypt_gpgme.c: Show encryption information #4221

[flatcap]

Lovely, thanks.
Edits: inserted some whitespace; enabled syntax highlighting; s/tampered/& with/

[roccoblues]

*1: The warning above would happen if a recipient does not apear in
an AddressList. This would imply knowing the owner, which is
complex, and as you said slow, so we probably don't want it.

*2: The warning above would happen if an AddressList element cannot
decrypt the message. This would be similarly slow and complex,
so we probably don't want it.

I'm not deep into this topic, sorry if this is a stupid question. This two are mostly useful for the sender right? Or why would I, as recipient, care if some other recipient can't verify/decrypt a message?

[alejandro-colomar]

I wrote those points before writing *11. The intention was that when that happens, it's likely that somebody messed with the recipients. I think *11 superseeds and is better for detecting those, so we can agree to forget about *1 and *2.

[roccoblues]

With my limited knowledge:

• *3, *4 look pretty simple and useful
• *7 yep, agree
• *8, *9 also make sense and should be tackled

Regarding the warning in *11: has been tampered with <-- this might just lead to more questions. We definitely need some good documentation explaining what it means.

But what I really wanted to ask: what happened to *5? 😆

[alejandro-colomar]

:D *5 was replaced by inline Hide: $crypt_protected_headers_read = no.

[alejandro-colomar]

*11: Yep, it needs to be documented.

I would do this:

• If the field is protected, and either has a different value or has been removed in the non-protected header area, report that it's been tampered with.

• If the field is not protected (maybe the sender used set crypt_protected_headers_write = no --please never use this!--; or maybe the sender used a vulnerable MUA --e.g., every mail sent with every MUA up to today--), I think we shouldn't emit a warning, since this will happen often, and we don't want to desensitize people.
  (Maybe in the long-term future, all MUAs protect header fields, and we can warn about unprotected fields.)

[alejandro-colomar]

Warning on Tampering

Check the header fields against the protected copy in the signed/encrypted block.

Display a warning in the Pager:

[-- Warning: the header field 'Reply-To' has been tampered with --]

What should we do with this info?

Should we:

* Highlight the bad field in the headers?

* Leave the original header intact?
  (For the user to examine)

* Overwrite the header?
  Keep a `Subject-Orig:`?
  (So we can warn every time the email is read)

I had been thinking about this one. I very much prefer to keep it intact, for the user to examine. (This is the behavior with Subject at the moment --although, we don't warn on it, of course--.)

[alejandro-colomar]

Pager Navigation

These features could potentially add a lot of header information to an Email.

We want to encourage more people to use the features, but we don't want to get in the way of reading the email.

Currently, NeoMutt has functions, <skip-headers> and <skip-quoted>. We could alter <skip-headers> to step between Mime blocks too.

The top of the screen displays: e.g.

* Start: Envelope

I never understood why (neo)mutt(1) uses the "envelope" term. The envelope is a different thing. What (neo)mutt(1) calls the envelope is actually the header, isn't it?
https://www.mybluelinux.com/what-is-email-envelope-and-email-header/

See also:
https://datatracker.ietf.org/doc/html/rfc5322#section-3.6.4
https://datatracker.ietf.org/doc/html/rfc5321
and grep for envelope there.

And see also:
https://datatracker.ietf.org/doc/html/rfc1521#section-7.2

* `<skip-headers>`: First Mime block

* `<skip-headers>`: Second Mime block (or no change)

[alejandro-colomar]

Encryption Key/Recipient Check

This would depend on *02 and looking up the user's email address

Warn the user when an encryption recipient isn't in one of the address fields.

[-- Warning: owner of RSA key, ID 1234123412341234 is not a recepient --]

Looking up the user's real name / email address could be slow (untested).

Encryption Recipient/Key Check

This would depend on *02 and looking up the user's email address

Warn the user when a recipient of the email doesn't have a matching encryption key.

[-- Warning: recipient <bob@example.com> cannot decrypt the message --]

Looking up the user's real name / email address could be slow (untested).

I think these two are unlikely to be feasible and useful. Some times we'll receive messages that are encrypted to recipients whose key we don't have, so we don't know if the recipient can decrypt or not. Or maybe we have the key, but the recipient added another ID to that key recently, and we didn't know about it.

I'd leave these two for future investigation (as in, at least a few years from now), but discard them for now.

[alejandro-colomar]

Colours

Use colour to highlight errors, warnings, or correct info.

Using gpgme is the preferred way to handle signing/encryption. (set crypt_use_gpgme = yes)

It knows (so NeoMutt knows) when a signature is bad, etc. Some old NeoMutt themes had regexes to match and colour "Good signature" / "Bad signature".

Should we create some colours for these common cases?

Currently, all the [-- ... --] type headers are coloured with color attachment. Do we want a separate color crypto?

Vim has the ability to link colours together (NeoMutt doesn't, yet :-) e.g.

highlight link Folded Comment

This might allow linking color crypto_warning to color warning, etc

Compact Display

Display less information, without compromising security.

Most users will never see a forged email, but we still want them to enable these safety features. This means making the displayed information very quick to parse visually, or very compact.

For a normal email, all the protected fields will be the same as the email header fields. In this case, it makes sense not to show one of the sets. If we hide the protected fields, we need a way to show that the header fields have been validated.

We could define some new colours for the various states: Valid, Unknown, Invalid.

Alternatively, NeoMutt already uses quite a few *_chars config options as flags. This would allow custom text markers (e.g. using NerdFonts).

Or both!

Maybe we could use colors:

• Show the fields in the message header (*) (so, the unprotected ones) in the default color if they are not protected.
• Show those fields in green if they perfectly match a header field in the protected header area.
• Show those fields in red if the header field is present in the protected header area and don't match.

However, I would do this in a second round of improvements to message security. I.e., not in the first release. I'd like to give it some more thought.

*: Message header is what (neo)mutt(1) calls the envelope. In RFCeese, the term message header refers to the "main" header of the email. See https://datatracker.ietf.org/doc/html/rfc1521#section-7.2.

[alejandro-colomar]

Links:

https://github.com/autocrypt/protected-headers/blob/main/draft-protected-headers.in.md#protected-headers-summary
https://github.com/autocrypt/protected-headers/blob/main/draft-protected-headers.in.md#exposed-headers-are-outside
https://github.com/autocrypt/protected-headers/blob/main/draft-protected-headers.in.md#copying-all-headers
https://github.com/autocrypt/protected-headers/blob/main/draft-protected-headers.in.md#message-interpretation
https://github.com/autocrypt/protected-headers/blob/main/draft-protected-headers.in.md#usability-impact-of-reduced-metadata
https://github.com/autocrypt/protected-headers/blob/main/draft-protected-headers.in.md#mailing-list-header-modifications

[alejandro-colomar]

Round 1.

I think in a first release we could limit ourselves to the following, which are the most basic enhancements:

• *03 ncrypt/: Don't introduce spurious blank lines in protected blocks #4243
• *04 ncrypt/crypt.c: Print a blank before the body area even if the header area is empty #4247
• *06 $crypt_protected_headers_write: Change default to 'yes' #4256
• *19 ncrypt/crypt_gpgme.c: Show encryption information #4221
• *20 Cryptoweed; Add $crypt_protected_headers_weed #4249
• *08, *09 Protect more header fields #4227

The rest are either more difficult to implement, or may need more discussion.

[gahr]

Hi @alejandro-colomar , I have a couple of questions regarding protected headers. They are general questions, not related to what we already do or what you suggest we do:

1. I can't find where RFC2045 says that it's valid to put arbitrary headers in the MIME header section. On the contrary, it lists specific MIME headers plus any header starting with Content-. Isn't the "protected headers" violating RFC2045?
2. @flatcap pointed me to https://datatracker.ietf.org/doc/html/rfc5751#section-3.1. It's S/MIME specific, but it suggests a way to "protect" headers, which is, to compose an email with a message/rfc822 part, and to encrypt/sign that part. What do you think of that, as an alternative to "protected headers"?
3. what's your opinion on why almost-nobody cared about protecting headers in a standard manner in 30-something years of PGP being around?

[alejandro-colomar]

Re: 1.:

It's specified in https://www.rfc-editor.org/rfc/rfc2045#section-2.4.

Any sort of field may be present in the header of an entity,
but only those fields whose names begin with "content-" actually have
any MIME-related meaning.

Which I read as "you can put whatever you want there". Then it continues with

Note that this does NOT imply thay they
have no meaning at all

Which is of course, they have a meaning for us. They just don't have a meaning for MIME.

[alejandro-colomar]

Re: 2.:

It's not crazy. I think that's similar (maybe the same?) to what https://datatracker.ietf.org/doc/draft-ietf-lamps-header-protection/ calls a"wrapped message". It would work, I guess. They mention that it's more likely to be incompatible with existing MUAs, since they will have a harder time parsing that. And it will probably be harder to implement.

But it protects as much as my proposal, so regarding the protection it provides, I'm okay with it.

However, consider the work of implementing that thing. (Is that already implemented for S/MIME? Maybe we can reuse code and it's not that bad.)

[alejandro-colomar]

Re 3.:

almost-nobody cared about protecting headers in a standard manner

I would go further. Almost-nobody cared about protecting headers. Standard or non-standard.

My opinion... I guess the feedback from some mutt(1) developers is a good example. Most probably never stopped to think if they are really vulnerable. I got several replies saying things like you need to be doing stupid things to fall into such an attack. It's only after I insisted a few times that they stopped to consider it, and found that the attack was actually possible.

Also, the ones that could consider it a viable attack, probably didn't consider themselves as viable targets, and so they didn't bother to fix it, since that would be work.

And for the very few that considered it a viable attack, and considered themselves viable targets, and were capable of patching their MUA to add this security, and were capable of convincing MUA maintainers of merging their patches... (and I assume there are very very few people that meet all these conditions)... they probably workarounded it by being stricter about their communications, which is a simpler solution (compared to convincing MUA maintainers of merging patches).

If you talk to your recipients, better offline, and everyone knows that nobody else should be listening, then if an attacker tries to add itself to CC, they won't be tricked. It someone should be added, mention it in the message, saying "CC += someone". Being disciplined works for small groups, which are the usual target.

But none of those reasons strikes me as a good reason to not improve the status quo.

[gahr]

I have the impression that protected headers should be proposed as part of an extension of a PGP-MIME RFC, to maximize interoperability. Putting headers in the MIME header is a no-brainer, but reporting mismatches between the email and the MIME headers and everything that follows could be codified in a standard.
Otherwise, we'll risk developing something that only Neomutt-to-Neomutt users will benefit from. And I have the feeling that the set of users who care intersected with the set of users who use Neomutt intersected with the set of their recipients is near ∅.

[gahr]

*10 Use Protected Fields

Unprotected fields shouldn't be trusted when replying.

If an email's headers have been tampered with, it should still be possible to reply to the email using the protected values.

If the user has already been warned, then the correct values of the fields should be used.

Note: Until the message has been opened, it won't be possible to check for tampering.

The Index needs to display the protected values as soon as the Pager has read them.

This assumes a certain interpretation of the headers of the encrypted MIME part, which - as of today - only exists marginally. This is part of why I think this would be best put in an RFC.

I think it's a stretch to say that if I find a From: header in the encrypted MIME header, it should be taken as the sender instead of the From header in the email. There's nothing to say how to interpret those headers, and different MUAs might implement their on semantics.

[ossilator]

I think it's a stretch to say that if I find a From: header in the encrypted MIME header, it should be taken as the sender instead of the From header in the email. There's nothing to say how to interpret those headers, and different MUAs might implement their on semantics.

it's even more a stretch to suppose that the sending MUA meant anything else when it put the header there.

sure, you can effectively kill the effort by insisting on (even more) a-priori standardization, which will most likely meet the same destiny as the previous attempts. or you just accept that this is objectively a quality improvement with no obvious downsides, and go with it.

[gahr]

it's even more a stretch to suppose that the sending MUA meant anything else when it put the header there.

It might mean a nickname, not a formally valid email address. It might not even be a MUA that generates the part. It might be a journalists software that uses From to put the source of some news, and To to mean the name of the journalist. I don't have the context of how everyone in the world uses PGP MIME parts. That's why we need standardization.

or you just accept that this is objectively a quality improvement with no obvious downsides

It's a quality improvement only for NeoMutt<->NeoMutt communication, as long as nobody else is doing it - so very marginal. And it has no obvious downsides as long as nobody else is doing it differently.

My suggestion, if we want to pursue this, is to use X-NeoMutt-* headers.

[alejandro-colomar]

My intention is that other MUAs follow. However, the security teams of Debian and Redhat didn't respond to my request for a CVE. I'll try CCing some people that are involved in thunderbird(1) (from what I can see in the Mozilla comm-central github mirror).

Cc: @mkmelin, @jobisoft, @kaie

[alejandro-colomar]

The interpretation of a received message has been documented in a draft for a RFC:

https://github.com/autocrypt/protected-headers/blob/main/draft-protected-headers.in.md#message-interpretation

It basically says what I suggested doing: if the MUA finds at least one protected address list, consider that the sending MUA protected all address lists, and so anything that differes from the protected headers in any way, should be considered tampered. They propose two alternative behaviors: either completely ignoring the exposed headers, or consider the PGP signature invalid.

I think we can do a little better: show both the exposed and the protected headers, allowing the user to inspect what really arrived; ignore the exposed headers for the purposes of replying; and instead of invalidating the signature, just adding tampering warnings, since the signature is still valid.

FWIW, I'll also CC people that contributed to that file.

Cc: @jwilk, @dkg

[alejandro-colomar]

(I added those CCs as an edit; I'm not sure if GH notifies them; I'll repeat the CCs in a new comment.)

Cc: @jwilk @dkg

[ossilator]

It might be a journalists software that uses From to put the source of some news, and To to mean the name of the journalist.

the level of malicious idiocy to actually do that would be astonishing. re-using existing rfc5322 header names in a closely related context for other purposes is obviously calling for trouble. sure, someone might do it nonetheless, but why should the world be constrained by such people? esp. given the existence of the related draft RFCs?

[gahr]

Ok - so you're saying you're going to implement https://datatracker.ietf.org/doc/html/draft-ietf-lamps-header-protection-20?

[alejandro-colomar]

Not all of it, and my implementation was completely independent of it (I didn't know that document when I wrote the code), but after checking the document it very closely matches my implementation. And I'd say that where we differ from it is only in small aspects, and our difference could be considered quality-of-implementation details.

[gahr]

I'd say that https://datatracker.ietf.org/doc/html/draft-ietf-lamps-header-protection-20#name-receiving-side clears my concerns: as long as there's a way to determine that protected headers were used by the sender according to some standard (or draft), it's ok to interpret them as such. I don't think your implementation does that (yet), though?

[alejandro-colomar]

My current implementation does:

• Write the protected headers.
• Read the protected headers, just to render them; otherwise ignoring them.

I propose discussing further what to do with those headers after those changes have been merged, at least to devel/security.

I think sending and rendering the headers is a separate discussion of how to behave when they have been tampered.

For the discussion on tampering, my proposal is to:

• If the message had any protected address list, use ONLY the address lists found in the protected headers for a reply.
• If the message had any protected address list, display a warning for each one that is different (or removed, or added) in the (exposed) message header.

We could do this in a v2, or we could ship it all together, I don't mind.

[ossilator]

sounds reasonable to me.

i'd do everything in one go, because a complete solution is always more convincing, and avoids churn.

i'd go with a space-saving presentation in the default weeded mode, i.e. cull the duplicated headers that match (after FWS normalization). maybe mark them as signed by using a separate color for them (in practice, i'd use the same color but with underline, i think).

[alejandro-colomar]

i'd do everything in one go, because a complete solution is always more convincing,

Sounds reasonable.

and avoids churn.

I'll still do it in many small commits, even if we do it in one release, though.
So, in the devel/security branch, it'll be (at least) 3 rounds of patches, but we won't merge to main until we have a consistent story.

cull the duplicated headers that match (after FWS normalization). maybe mark them as signed by using a separate color for them (in practice, i'd use the same color but with underline, i think).

My idea for this is slightly different:

Use colors for the exposed headers:

• If the message doesn't have any protected lists, use the usual color, blue.
• If the message has any protected address list, if an exposed header field has a match in the protected header (after normalization), use green.
• If the message has any protected address list, if an exposed header field does NOT have a match in the protected header (after normalization), use red.

I'd do that in the third round of patches. After we already have the tampering warnings ([-- ... --]) in the devel/security branch.

[ossilator]

That's why we need standardization.

often enough, things are standardized post-fact after they have proven themselves. the deprecation of the X- prefix explicitly encourages this, although at the micro level.

[kaie]

My intention is that other MUAs follow. However, the security teams of Debian and Redhat didn't respond to my request for a CVE. I'll try CCing some people that are involved in thunderbird(1) (from what I can see in the Mozilla comm-central github mirror).

Can you please say more clearly on which of the various aspects discussed you're seeking feedback?

[alejandro-colomar]

Heh, any feedback that you want to give would be great, on any aspect.

I just wanted to let thunderbird(1) know of our plans, to make sure we are compatible, if you want to implement this (and I wish that you do).

[vuori]

Sorry to comment on this late. The feature looks generally useful and it's good to see that standardization on secure headers is proceeding (though mainly on the S/MIME side at the moment?), but have you checked how current versions of widely-used MUA integrations display headers other than Subject from inside the secure envelope? For example:

• Thunderbird
• GpgOL (plugin for desktop Outlook, part of Gpg4win)
• Protonmail (webmail service)

If "extra" headers hit the user with load of warnings or cause other problems, it may prompt complaints from users and maintainers. On the other hand if clients don't display the secure headers at all, this may prompt complaints from security hawks that this represents an invisible salamanders kind of vulnerability (different recipients see different content). Appendix A of draft-ietf-lamps-header-protection linked above has a good list of problems to look out for as well as test vectors.

The results may affect how quickly the features discussed here could be enabled by default if relevant PR(s) get merged.

IIRC some EU governments (e.g. Germany) have recently adopted PGP for secure messaging so interop issues with GUI clients running on Windows may be something that people care about at the moment. (It may also be something of a meta-problem that some people involved with ietf-lamps-header-protection are also involved in the ietf-openpgp-crypto-refresh WG, which is currently in a pretty much all-out standardization war with GnuPG developers).

[alejandro-colomar]

Outlook

No, I won't touch that even with a stick.

Protonmail

Similarly.

Thunderbird

I used that until half a year ago. I received messages from recipients using mutt(1), which has been protecting these headers for a long time, and never noticed any of the protected headers. I guess it simply ignores them.

However, back when I used thunderbird(1), it didn't read correctly the subject sent by mutt(1), so I guess they've improved that. I talked to @ikerexxe today, and we found that thunderbird(1) now is compatible with mutt(1)'s protected subject. However, I guess they still ignore the rest of the header fields. Maybe a thunderbird(1) contributor can comment on this. @kaie , any comments?

[vuori]

As gahr mentioned below and I forgot earlier, there's also the question of clearsigned messages that will presumably have the in-envelope secure headers. These messages' content will typically be viewable also in clients that can't verify the signature. That adds to the list for lighter verification major MUAs such as:

• Gmail (web, mobile)
• Outlook (web, mobile, UWP, in addition to the classic desktop version mentioned above)
• Apple Mail (mobile, desktop)

In general, someone is going to have to put in the hours to do the interop testing, because a lot of people use the clients listed regardless of the opinions of this discussion's participants.

While I do personally like the feature, it seems to me that without a clear and tested idea of its effect on the larger user base, the send side could at best be merged as an opt-in (disabled-by-default) feature. Users of terminal mail clients, let alone those who regularly sign their mails, surely already get enough grumbling from less technically-minded GUI/webmail users about "weird and ugly" mails—bringing about more of the same without a testing-based evaluation of the costs and benefits is unlikely to happen.

The alternative to doing this testing here would be to wait for the I-D mentioned earlier to go forward and hope some well-resourced organization (Mozilla? Proton?) implements it and handles the heavy lifting wrt interop.

[alejandro-colomar]

For the wide testing, we can at least say that it doesn't significantly break any major client, without having seen any of them. How can I do that claim without having used any of those?

mutt(1) has been protecting the following headers for several years already, and the night sky didn't fall so far.

in mutt_protect():

  if (option (OPTCRYPTPROTHDRSWRITE))
  {
    BUFFER *date = NULL;
    protected_headers = mutt_new_envelope ();

    protected_headers->subject = safe_strdup (msg->env->subject);

    /* Note that we set sctx->date_header too so the values match */
    date = mutt_buffer_pool_get ();
    mutt_make_date (date);
    mutt_str_replace (&sctx->date_header, mutt_b2s (date));
    protected_headers->date = safe_strdup (mutt_b2s (date));
    mutt_buffer_pool_release (&date);

    protected_headers->from = rfc822_cpy_adr (msg->env->from, 0);
    protected_headers->to = rfc822_cpy_adr (msg->env->to, 0);
    protected_headers->cc = rfc822_cpy_adr (msg->env->cc, 0);
    protected_headers->reply_to = rfc822_cpy_adr (msg->env->reply_to, 0);

    mutt_prepare_envelope (protected_headers, 0);
    mutt_env_to_intl (protected_headers, NULL, NULL);

    mutt_free_envelope (&msg->content->mime_headers);
    msg->content->mime_headers = protected_headers;
    mutt_set_parameter ("protected-headers", "v1", &msg->content->parameter);
  }

We can assume that mutt(1) users have interacted at least a meaningful number of times with users of those mail clients.

[gahr]

How about more widely-used MUAs? I'm thinking of GMail and Outlook. You can't probably easily decrypt encrypted messages, but you can probably display signed messages. I guess they'll ignore protected headers altogether.

[alejandro-colomar]

gmail ignores the signature, last time I checked (a few weeks ago). I can confirm again in a few hours after talking to someone who uses it. (But maybe there's a hidden way in gmail that I don't know.) (Edit: there seems to be a web browser extension to do PGP with gmail: mailvelope; I haven't tried it)

I don't know of outlook.

BTW, I'll CC the maintainer of a webmail I care about. I guess it also ignores the protected headers, but it won't hurt to let him/her know about our plans. @emersion, how does migadu webmail (alps) handle protected header fields in signed and/or encrypted mail?

[emersion]

Thanks for the ping! I've opened https://todo.sr.ht/~migadu/alps/181 to track this. We don't handle any of this at the moment, but it would be a nice improvement.

[dkg]

I'm really glad to see this work, @alejandro-colomar . thanks for doing it!

If you have any feedback about draft-ietf-lamps-protected-headers, including about any potential divergence, please don't hesitate to raise issues, either on the LAMPS mailinglist or in the issue-tracker.

Please note that we have a change pending to the draft related to how a recipient of an encrypted message can tell whether the sender removed or obscured any of the headers that were directly protected. The change should clean up one obscure corner case where it might be difficult to tell what the sender of the message actually did.

I suspect the safest route to deployment here when generating messages is to use a default Header Confidentiality Policy of hcp_minimal, according to that draft. We can adopt more ambitious HCPs once we have the baselines in place more widely.

@vuori the header protection (and its partner document, draft-ietf-lamps-e2e-mail-guidance) talk mainly about S/MIME because when we started work on them in the IETF, there was nowhere to work on PGP/MIME or on encrypted mail more generally, but the LAMPS working group was nominally chartered for S/MIME work and wasn't opposed to things that happen to also work for PGP/MIME. There's nothing in either draft related to message formatting or structure that i'm aware of that isn't simultaneously applicable to both PGP/MIME and S/MIME. And indeed, of the three primary editors of the draft, two of them (myself and Bernie) do more PGP/MIME work than S/MIME work (the third, Alexey, does more S/MIME than PGP/MIME).

As for the risk of conflict with the GnuPG team, if there's a war, it's entirely one-sided, as i have no interest in being in a war. Indeed, i'm a longtime supporter of GnuPG, and have helped to maintain it in Debian for many years. I don't oppose GnuPG, but i am intimately aware of the ways that it can fail users, and i don't think the ecosystem is healthy if it all just entirely follows the whim of a single implementation. I want standardization (whether in OpenPGP or in e-mail standards, or elsewhere) to advance across multiple implementations, with something like the proverbial rough consensus and running code. I would certainly hope that whatever animus the GnuPG team bears toward me wouldn't translate into a rejection of anything i happen to have touched, but that's also not something i can control. ☹

[ossilator]

By showing both headers, you don't need any of that, AFAIU.

the thing is that while this keeps the implementation simple and the result easy to verify, usually this is just visual clutter which steals screen estate and adds unnecessary cognitive load to the user. you can still show the whole thing when the user turns off header weeding.

[alejandro-colomar]

When I add colors to the exposed header (green confirming that the field matches a protected one, red otherwise + a [-- ... --] warning), the user will be able to simply hide all protected headers ($crypt_protected_headers_read = no), and only = yes when a tampering warning has been issued.

To me, the clutter isn't that big, so I'd read mail with the protected header enabled, but that would be an option for the minimalist.

[ossilator]

i haven't followed everything closely enough to have a coherent view, so i'll just braindump here:

• "complete but minimal" is the reasonable default
• too many options are bad. you don't need to enable every imaginable combination just because you can. even if somebody asks for it, it's still reasonable to have them justify it against the trade-off of the added complexity.
• if the non-minimal display is needed rarely enough, then it can be subsumed under a pre-existing option which causes things that are not relevant at the moment to be shown as well. hence my expectation to re-use the header weed toggle for that.

[alejandro-colomar]

I think we only slightly disagree on the defaults. Let's discuss the defaults again after we have most of the features implemented, so we can test different configurations.

[dkg]

in the course of writing this document, we were focused on trying to provide as close to a "normal e-mail" experience as possible for both the sender and the recipient of the message. That's why we emphasize only showing one set of headers. We don't want to make this usable only by e-mail experts, cryptography experts, or (worse) people who happen to be experts in both e-mail and cryptography :P

I agree with @alejandro-colomar that it's reasonable to do the implementation with both modes available and choose the default mode later (certainly experts will want to be able to see both sets for debugging purposes). And i agree with @ossilator that the reasonable default for normal users (which is what should be the default for the software when otherwise unconfigured) is the minimalist setting, where only the protected set is what's shown.

[mschilli87]

cc @the-djmaze

Given that snappymail supports PGP, you might be interested in this discussion.
And even if not, I am certain your input would be appreciated here.

[the-djmaze]

Thanks. I don't think i will implement any of the ideas.
They are good ideas, but Microsoft is the most annoying "smart screen filter" ever created, that accepts email but sends it to the void, instead of notifying anyone in any way that the mail is rejected.

By encrypting/hiding headers we have to fight more against Microsoft mail servers and i already think they should be shot/killed/bankrupt due to the already daily task to fight against their void.

Not to mention the issue they had a week ago where their customers sending mail were also send to the void and everyone had to resend them again after the fix.

So, until everything works as expected, i will wait.

As for tampering: DKIM can protect against that already.

[dkg]

This protocol design work has been done deliberately with the knowledge of real-world deliverability problems in mind. we definitely don't want messages to be dropped by any major providers if they follow this guidance, and we've done a fair amount of testing and have not seen any deliverability problems for the default settings recommended in the draft as compared with e-mail messages with end-to-end encryption but no header protections. If you do see differential deliverability problems due to header protection, please report!

As for using DKIM to protect against tampering: DKIM signatures are typically applied at the domain level, or at least with the cooperation of the domain controller. End-to-end encrypted e-mail messages deliberately consider the domain controller as a possible adversary, so DKIM doesn't provide end-to-end protection against tampering. Furthermore, DKIM signatures are only guaranteed to be verifiable and relevant around delivery time (as DKIM keys themselves might be rotated or unpublished), whereas e2e protections are intended to stick with the message as long as possible.

[alejandro-colomar]

Mailing lists add some address lists to the message. For example, linux-man@vger.kernel.org added the following to one mail from me:

Return-Path: <linux-man+bounces-813-alx=kernel.org@vger.kernel.org>
X-Original-To: linux-man@vger.kernel.org

It also modified the Date (4 seconds earlier than my original message!).

I guess we can add variables to trigger/not trigger tampering warnings when certain address lists are tampered.

set crypt_protected_headers_warn_tampered_date = no
set crypt_protected_headers_warn_tampered_return_path = no
set crypt_protected_headers_warn_tampered_x_original_to = no

The above would silence the [-- ... has been tampered with --] for those two fields. We could default to ignore certain header fields that are often used by mailing lists (if we can find a more-or-less common set of such headers; else leave it up to users to configure).

The red/green colors for tampered fields would still apply, so that these fields would appear in red in the exposed header, since they are not signed. (Assuming I find a way to modify the color of those fields.)

[alejandro-colomar]

@flatcap

Now that we've merged the basic functionality, let's discuss what should go next.

I think your suggestion about punycodes could be the first improvement. And after it, we could try to address more of this.

BTW, while using the devel/security branch, I noticed that thunderbird(1) protects more headers than just the Subject: https://marc.info/?l=mutt-dev&m=171516909330110&w=2. So, we're not alone in this. I'm not sure how they use them on the reading side, though. Maybe @kaie can comment on that?

[flatcap]

punycodes could be the first improvement

Yes, please.
I'm not sure where to start -- there are so many places to change.
Perhaps the Address Dialog -- fairly simple to work with.
Or the <display-address> (@) function -- generate on demand and cache in struct Address.

thunderbird

Ah! Good to know.