Message security #4251
Replies: 27 comments 34 replies
-
I haven't addressed *01 and *02, since I'm not sure we want them. The following issues / PRs address
The following issues / PRs address The following issues / PRs address the weeding of protected header fields:
The following issues / PRs address
The following issues / PRs address
The following issues / PRs address The following issues / PRs address The following issues / PRs address
The following issues / PRs implement |
Beta Was this translation helpful? Give feedback.
This comment has been hidden.
This comment has been hidden.
-
I'm not deep into this topic, sorry if this is a stupid question. This two are mostly useful for the sender right? Or why would I, as recipient, care if some other recipient can't verify/decrypt a message? |
Beta Was this translation helpful? Give feedback.
-
With my limited knowledge:
Regarding the warning in But what I really wanted to ask: what happened to |
Beta Was this translation helpful? Give feedback.
This comment has been hidden.
This comment has been hidden.
-
I had been thinking about this one. I very much prefer to keep it intact, for the user to examine. (This is the behavior with |
Beta Was this translation helpful? Give feedback.
-
I never understood why (neo)mutt(1) uses the "envelope" term. The envelope is a different thing. What (neo)mutt(1) calls the envelope is actually the header, isn't it? See also: And see also:
|
Beta Was this translation helpful? Give feedback.
-
I think these two are unlikely to be feasible and useful. Some times we'll receive messages that are encrypted to recipients whose key we don't have, so we don't know if the recipient can decrypt or not. Or maybe we have the key, but the recipient added another ID to that key recently, and we didn't know about it. I'd leave these two for future investigation (as in, at least a few years from now), but discard them for now. |
Beta Was this translation helpful? Give feedback.
This comment has been hidden.
This comment has been hidden.
-
Maybe we could use colors:
However, I would do this in a second round of improvements to message security. I.e., not in the first release. I'd like to give it some more thought. *: Message header is what (neo)mutt(1) calls the envelope. In RFCeese, the term message header refers to the "main" header of the email. See https://datatracker.ietf.org/doc/html/rfc1521#section-7.2. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
Round 1.I think in a first release we could limit ourselves to the following, which are the most basic enhancements:
The rest are either more difficult to implement, or may need more discussion. |
Beta Was this translation helpful? Give feedback.
-
Hi @alejandro-colomar , I have a couple of questions regarding protected headers. They are general questions, not related to what we already do or what you suggest we do:
|
Beta Was this translation helpful? Give feedback.
-
I have the impression that protected headers should be proposed as part of an extension of a PGP-MIME RFC, to maximize interoperability. Putting headers in the MIME header is a no-brainer, but reporting mismatches between the email and the MIME headers and everything that follows could be codified in a standard. |
Beta Was this translation helpful? Give feedback.
-
This assumes a certain interpretation of the headers of the encrypted MIME part, which - as of today - only exists marginally. This is part of why I think this would be best put in an RFC. I think it's a stretch to say that if I find a From: header in the encrypted MIME header, it should be taken as the sender instead of the From header in the email. There's nothing to say how to interpret those headers, and different MUAs might implement their on semantics. |
Beta Was this translation helpful? Give feedback.
-
it's even more a stretch to suppose that the sending MUA meant anything else when it put the header there. sure, you can effectively kill the effort by insisting on (even more) a-priori standardization, which will most likely meet the same destiny as the previous attempts. or you just accept that this is objectively a quality improvement with no obvious downsides, and go with it. |
Beta Was this translation helpful? Give feedback.
-
It might mean a nickname, not a formally valid email address. It might not even be a MUA that generates the part. It might be a journalists software that uses From to put the source of some news, and To to mean the name of the journalist. I don't have the context of how everyone in the world uses PGP MIME parts. That's why we need standardization.
It's a quality improvement only for NeoMutt<->NeoMutt communication, as long as nobody else is doing it - so very marginal. And it has no obvious downsides as long as nobody else is doing it differently. My suggestion, if we want to pursue this, is to use X-NeoMutt-* headers. |
Beta Was this translation helpful? Give feedback.
-
the level of malicious idiocy to actually do that would be astonishing. re-using existing rfc5322 header names in a closely related context for other purposes is obviously calling for trouble. sure, someone might do it nonetheless, but why should the world be constrained by such people? esp. given the existence of the related draft RFCs? |
Beta Was this translation helpful? Give feedback.
-
Ok - so you're saying you're going to implement https://datatracker.ietf.org/doc/html/draft-ietf-lamps-header-protection-20? |
Beta Was this translation helpful? Give feedback.
-
often enough, things are standardized post-fact after they have proven themselves. the deprecation of the X- prefix explicitly encourages this, although at the micro level. |
Beta Was this translation helpful? Give feedback.
-
Can you please say more clearly on which of the various aspects discussed you're seeking feedback? |
Beta Was this translation helpful? Give feedback.
-
Sorry to comment on this late. The feature looks generally useful and it's good to see that standardization on secure headers is proceeding (though mainly on the S/MIME side at the moment?), but have you checked how current versions of widely-used MUA integrations display headers other than Subject from inside the secure envelope? For example:
If "extra" headers hit the user with load of warnings or cause other problems, it may prompt complaints from users and maintainers. On the other hand if clients don't display the secure headers at all, this may prompt complaints from security hawks that this represents an invisible salamanders kind of vulnerability (different recipients see different content). Appendix A of draft-ietf-lamps-header-protection linked above has a good list of problems to look out for as well as test vectors. The results may affect how quickly the features discussed here could be enabled by default if relevant PR(s) get merged. IIRC some EU governments (e.g. Germany) have recently adopted PGP for secure messaging so interop issues with GUI clients running on Windows may be something that people care about at the moment. (It may also be something of a meta-problem that some people involved with ietf-lamps-header-protection are also involved in the ietf-openpgp-crypto-refresh WG, which is currently in a pretty much all-out standardization war with GnuPG developers). |
Beta Was this translation helpful? Give feedback.
-
How about more widely-used MUAs? I'm thinking of GMail and Outlook. You can't probably easily decrypt encrypted messages, but you can probably display signed messages. I guess they'll ignore protected headers altogether. |
Beta Was this translation helpful? Give feedback.
-
I'm really glad to see this work, @alejandro-colomar . thanks for doing it! If you have any feedback about draft-ietf-lamps-protected-headers, including about any potential divergence, please don't hesitate to raise issues, either on the LAMPS mailinglist or in the issue-tracker. Please note that we have a change pending to the draft related to how a recipient of an encrypted message can tell whether the sender removed or obscured any of the headers that were directly protected. The change should clean up one obscure corner case where it might be difficult to tell what the sender of the message actually did. I suspect the safest route to deployment here when generating messages is to use a default Header Confidentiality Policy of @vuori the header protection (and its partner document, As for the risk of conflict with the GnuPG team, if there's a war, it's entirely one-sided, as i have no interest in being in a war. Indeed, i'm a longtime supporter of GnuPG, and have helped to maintain it in Debian for many years. I don't oppose GnuPG, but i am intimately aware of the ways that it can fail users, and i don't think the ecosystem is healthy if it all just entirely follows the whim of a single implementation. I want standardization (whether in OpenPGP or in e-mail standards, or elsewhere) to advance across multiple implementations, with something like the proverbial rough consensus and running code. I would certainly hope that whatever animus the GnuPG team bears toward me wouldn't translate into a rejection of anything i happen to have touched, but that's also not something i can control. ☹ |
Beta Was this translation helpful? Give feedback.
-
cc @the-djmaze Given that snappymail supports PGP, you might be interested in this discussion. |
Beta Was this translation helpful? Give feedback.
-
Mailing lists add some address lists to the message. For example, linux-man@vger.kernel.org added the following to one mail from me:
It also modified the Date (4 seconds earlier than my original message!). I guess we can add variables to trigger/not trigger tampering warnings when certain address lists are tampered.
The above would silence the The red/green colors for tampered fields would still apply, so that these fields would appear in red in the exposed header, since they are not signed. (Assuming I find a way to modify the color of those fields.) |
Beta Was this translation helpful? Give feedback.
-
Now that we've merged the basic functionality, let's discuss what should go next. I think your suggestion about punycodes could be the first improvement. And after it, we could try to address more of this. BTW, while using the devel/security branch, I noticed that thunderbird(1) protects more headers than just the Subject: https://marc.info/?l=mutt-dev&m=171516909330110&w=2. So, we're not alone in this. I'm not sure how they use them on the reading side, though. Maybe @kaie can comment on that? |
Beta Was this translation helpful? Give feedback.
-
Overview
This is a list of existing security features of NeoMutt and a large number of proposed improvements.
NeoMutt can sign and/or encrypt emails.
While this adds security to the message, the headers could be tampered with.
Many of the ideas below help to protect against this, or highlight when it happens.
Developers: Some of them already have proofs-of-concept that you can try out.
There's a lot to take in.
Feel free to ask lots of questions and let us know your thoughts.
Thanks! ❤️
Existing Feature
*17
Hidden SubjectWhen NeoMutt encrypts an email, it has a feature to hide the
Subject:
.The headers will contain, say:
Subject: ...
and the real subject will be put in the encrypted body.This makes it harder for eavesdroppers to follow a conversation.
See also
*08
This feature is controlled by the config:
*05
Toggle showing protected fieldsWhen NeoMutt receives a message with protected headers, it has a configuration variable to hide them.
This helps reduce the noise of duplicated header fields, since in most cases, messages will be legitimate.
This feature is controlled by the config:
Proposed Features
*19
Encryption Info BlockPull Request: #4221
Add a block of information to the Pager showing all the encryption recipients.
Currently, this shows a list of encryption sub-keys.
These sub-keys are unique and can be used to look up the user's main key, but they aren't immediately recognisable.
Future improvements:
(these steps haven't been tested)
This feature is controlled by the config:
set crypt_encryption_info = no
*01
Encryption Key/Recipient CheckThis would depend on
*19
and looking up the user's email addressWarn the user when an encryption recipient isn't in one of the address fields.
Looking up the user's real name / email address could be slow (untested).
*02
Encryption Recipient/Key CheckThis would depend on
*19
and looking up the user's email addressWarn the user when a recipient of the email doesn't have a matching encryption key.
Looking up the user's real name / email address could be slow (untested).
*03
Remove Padding LinesConfirmed: See devel/security #4243, #4255
Don't display padding around the message, in the Pager.
NeoMutt prints a blank line before and after the message body.
Remove them, so that what's displayed matches what's signed/encrypted.
*04
Force Blank Line After Mime HeaderConfirmed: See devel/security #4247, #4255
The Mime header block can contain zero or more fields.
However many fields there are (even zero), they are always followed by a blank line.
This means the user can distinguish between fields that are hidden and zero fields.
*20
Weeding the Crypto HeadersOptionally hide some of the protected headers.
NeoMutt performs "weeding" (filtering) on the email headers.
The
ignore
andunignore
commands tell NeoMutt which to hide or show.These currently affect protected headers as well.
We could add a configuration variable to not do that by default, while still allowing to weed them.
This feature would be controlled by,
set crypt_protected_headers_weed = yes
*07
Hide BccEncrypting to a
Bcc
should use a "hidden recipient".When
gpg
encrypts, it can embed the key fingerprint in the text.Anyone who has the encrypted text, can tell who it's encrypted to.
If you send an email
To: Jim
andBcc: Bob
, then Jim can infer that Bob received the email too.By telling
gpg
to use 'hidden recipients', then key isn't visible.This is an improvement, but Jim will still know that there's another recipient.
A more thorough solution, and much more work, would be to have NeoMutt send a separate email to each of the
Bcc:
list.See also:
*19
Encryption Info Block*08
Protect Address ListsPresent in mutt(1) since 2.0.0:
See http://mutt.org/relnotes/2.0/
See https://gitlab.com/muttmua/mutt/raw/stable/UPDATING
See https://gitlab.com/muttmua/mutt/-/commit/82b5c697e935ffe40b833e150aa79fd3cb27a20c
See https://marc.info/?l=mutt-dev&m=171349491914691&w=2
See https://marc.info/?l=mutt-dev&m=171349804815814&w=2
(but mutt(1) doesn't protect all address lists; only the basic ones.)
Save a copy of any address lists, e.g.
To:
,Cc:
in the signed/encrypted block.The headers of an email aren't protected and could be altered by a malicious agent.
When you reply to an email, you can't be certain that everyone was really an intended recipient.
See also:
*11
Warning on Tampering*20
Weeding the Crypto Headers*09
Protect In-Reply-ToSave a copy of any the
In-Reply-To:
in the signed/encrypted block.The
In-Reply-To:
field contains sensitive fields.If an attacker were to alter them, it could mislead the recipient.
See also:
*08
Protect Address Lists*10
Use Protected FieldsUnprotected fields shouldn't be trusted when replying.
If an email's headers have been tampered with, it should still be possible to reply to the email using the protected values.
If the user has already been warned, then the correct values of the fields should be used.
Note: Until the message has been opened, it won't be possible to check for tampering.
The Index needs to display the protected values as soon as the Pager has read them.
*11
Warning on TamperingCheck the header fields against the protected copy in the signed/encrypted block.
Display a warning in the Pager:
What should we do with this info?
Should we:
Highlight the bad field in the headers?
Leave the original header intact?
(For the user to examine)
Overwrite the header?
Keep a
Subject-Orig:
?(So we can warn every time the email is read)
See also:
*15
Colours*13
Phishing ProtectionHighlight email addresses that could be misleading.
See also: #4233 Phishing Protection
These two addresses are not the same, but in many fonts they look identical.
Mark any addresses that aren't entirely ASCII with they're PunyCode equivalent.
Users can create a list of known safe addresses.
*14
Pager NavigationThese features could potentially add a lot of header information to an Email.
We want to encourage more people to use the features, but we don't want to get in the way of reading the email.
Currently, NeoMutt has functions,
<skip-headers>
and<skip-quoted>
.We could alter
<skip-headers>
to step between Mime blocks too.The top of the screen displays:
e.g.
<skip-headers>
: First Mime block<skip-headers>
: Second Mime block (or no change)See also:
*16
Compact Display*15
ColoursUse colour to highlight errors, warnings, or correct info.
Using
gpgme
is the preferred way to handle signing/encryption.(
set crypt_use_gpgme = yes
)It knows (so NeoMutt knows) when a signature is bad, etc.
Some old NeoMutt themes had regexes to match and colour "Good signature" / "Bad signature".
Should we create some colours for these common cases?
Currently, all the
[-- ... --]
type headers are coloured withcolor attachment
.Do we want a separate
color crypto
?Vim has the ability to link colours together (NeoMutt doesn't, yet :-)
e.g.
This might allow linking
color crypto_warning
tocolor warning
, etc*16
Compact DisplayDisplay less information, without compromising security.
Most users will never see a forged email, but we still want them to enable these safety features.
This means making the displayed information very quick to parse visually, or very compact.
For a normal email, all the protected fields will be the same as the email header fields.
In this case, it makes sense not to show one of the sets.
If we hide the protected fields, we need a way to show that the header fields have been validated.
We could define some new colours for the various states: Valid, Unknown, Invalid.
Alternatively, NeoMutt already uses quite a few
*_chars
config options as flags.This would allow custom text markers (e.g. using NerdFonts).
Or both!
Beta Was this translation helpful? Give feedback.
All reactions