justinacolmena
commented
5 years ago On February 23, 2019 7:49:38 AM AKST, jensvoid notifications@github.com wrote:
Dear K-9 Mail team,>
In the scope of academic research in cooperation with Ruhr-Uni Bochum and FH Münster, Germany we discovered a security issue in K-9 Mail when used in combination with PGP (OpenKeychain ): K-9 Mail quotes and includes CSS internal
<style>elements in email replies. This allows an attacker to abuse K-9 Mail as a signing oracle for arbitrary PGP signed emails.>The attack is outlined as follows:>
Attack scenario>
Digital signatures should guarantee integrity, authenticity, and non-repudiation of messages. To give an example, Johnny could be a commander-in-chief who takes information security seriously. All his emails are digitally signed, making it hard to impersonate him in order to send forged statements or instructions. The goal of our attacker Eve is to start false-flag warfare. Therefore she needs to obtain a digitally signed "declaration of war" which she can forward to the armed forces.>
General idea>
Eve now sends an email to commander Johnny, in which she hides her malicious content using CSS while a benign text message, such as "What's up Johnny?", is added to be shown by K-9 Mail. Similarly, the benign text can be hidden while showing the malicious content, based on CSS conditional rules which are satisfied only for a third party. If Johnny replies to such a specially-crafted HTML/CSS email, he signs arbitrary covert content along with visible content. This signed message can then be forwarded by Eve to a third party (e.g., the armed forces) where it displays the previously hidden malicious content "I hereby declare war". A simple example email is given below:>
From: eve@evil.com> To: johnny@good.com> Content-Type: text/html> <style>> /* hide malicious content on mobile devices */> @media (max-device-width: 834px) {> .covert {visibility: hidden;}> }> /* but show on desktop/large-screen devices */> @media (min-device-width: 835px) {> * {visibility: hidden;}> .covert {visibility: visible !important}> }> </style>> What's up Johnny?> <div class="covert" style="visibility: hidden">> I hereby declare war.</div>> ```> In this example, different content is shown based on the device's screen resolution. It can be used to obtain a signed email from a mobile device, where a benign message is shown. The reply message instead displays a (signed) declaration of war when shown on a desktop mail client.> **Conditional CSS rules**> The W3C specifies CSS conditional rules (e.g., `@media`) which allow different formatting based on conditions such as screen width or orientation. For example, a different text can be shown whether a mobile phone is hold in portrait or landscape mode or whether the document is displayed on a screen or printed out. But there are lots of other options: for example, mail clients can be fingerprinted based on the `@support` conditional rule or various proprietary conditional statements of certain clients can be applied.> Without going into detail here, in the scope of our research we found conditional CSS to show/hide certain text for virtually every email client that exists.> **CSS blinding options**> We identified seven CSS properties which can be used for covert content attacks as shown below. However, this list is unlikely to be complete because CSS is very complex and offers more possibilities to hide text.> ```> display: none;> visibility: hidden;> opacity: 0;> clip-path: polygon(0px 0px, 0px 0px, 0px 0px, 0px 0px);> position: absolute; top: -9999px; left: -9999px;> color: transparent;> font-size: 0;> ```> **Impact**> The attack allows Eve to obtain valid signatures for arbitrary content to be displayed. This can be used to trick a third party, which relies on the authenticity and integrity of signed messages, to perform certain actions (such as starting a war). A forensic analysis can reveal the deception, but then it may already be too late (the war is already declared).> **Countermeasures**> There are three options to counter the attack, each with a usability-security trade-off:> 1. *Drop CSS support in general*: Conditional CSS makes it easy for an attacker to hide certain text within a signed message while showing different text. Ideally, clients would ignore CSS in received emails. However, this is an unrealistic scenario given today's usage of email. Sanitizing conditional CSS rules and properties which can be used to hide content is feasible, but it may be insufficient as web technologies are constantly evolving.> 2. *Only ASCII text in replies*: It should not harm the user experience if mail clients converted quoted messages into ASCII text when replying to an email. Various clients are already doing this. Thus, we recommend that security-focused clients should adopt this behavior.> 3. *Remove CSS styles in replies*: Email clients should not sign any quoted CSS `<style>` (or `<link rel="stylesheet"`) from the original message, so that they cannot be used as signing oracles, based on blinding text with CSS conditional statements.> *Greetings,*> *Jens*> -- > You are receiving this because you are subscribed to this thread.> Reply to this email directly or view it on GitHub:> https://github.com/k9mail/k-9/issues/3925
True, HTML+CSS tricks can be somewhat of a security issue for email and certainly for the web in general, which of course cannot be mitigated by simply signing the email with PGP, but the whole attack scenario as laid out, while technically possible, is neither terribly feasible or practical, nor particularly unique to K-9 mail or to PGP-signatures.
It seems like a little bit of an exaggeration to call a quoted reply to obfuscated CSS a "signing oracle," but I suppose in certain circumstances someone might try to go politicking or leak to the news media with a screenshot of an apparently valid PGP signature on a reply to a quoted HTML email with some carefully crafted CSS trickery.
It is entirely possible to use plain text only for email, but then of course there are various Unicode look-alike characters, "title case" for Cyrillic letters, right-to-left support for flowing Arabic script or vowel-pointed Hebrew block letters, and similar security issues, whereas those German university profs tend to be satisfied with a few umlauts and the occasional double-S on top of the 26-letter American English alphabet.
Too much FUD is coming in from over at that EFF community with letsencrypt, certbot, TOR, etc.
National Socialist Democrats with labor issues are spreading Fear, Uncertainty, and Doubt over Free and Open Souce Software, and Republicans or other conservatives with small business goals are just rubbing their hands together with greed, or else it's another mega-corporate state takeover. Братва. -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no será infringido.
cketti
jensvoid
Dear K-9 Mail team,
In the scope of academic research in cooperation with Ruhr-Uni Bochum and FH Münster, Germany we discovered a security issue in K-9 Mail when used in combination with PGP (OpenKeychain ): K-9 Mail quotes and includes CSS internal
<style>elements in email replies. This allows an attacker to abuse K-9 Mail as a signing oracle for arbitrary PGP signed emails.The attack is outlined as follows:
Attack scenario
Digital signatures should guarantee integrity, authenticity, and non-repudiation of messages. To give an example, Johnny could be a commander-in-chief who takes information security seriously. All his emails are digitally signed, making it hard to impersonate him in order to send forged statements or instructions. The goal of our attacker Eve is to start false-flag warfare. Therefore she needs to obtain a digitally signed "declaration of war" which she can forward to the armed forces.
General idea
Eve now sends an email to commander Johnny, in which she hides her malicious content using CSS while a benign text message, such as "What's up Johnny?", is added to be shown by K-9 Mail. Similarly, the benign text can be hidden while showing the malicious content, based on CSS conditional rules which are satisfied only for a third party. If Johnny replies to such a specially-crafted HTML/CSS email, he signs arbitrary covert content along with visible content. This signed message can then be forwarded by Eve to a third party (e.g., the armed forces) where it displays the previously hidden malicious content "I hereby declare war". A simple example email is given below:
In this example, different content is shown based on the device's screen resolution. It can be used to obtain a signed email from a mobile device, where a benign message is shown. The reply message instead displays a (signed) declaration of war when shown on a desktop mail client.
Conditional CSS rules
The W3C specifies CSS conditional rules (e.g.,
@media) which allow different formatting based on conditions such as screen width or orientation. For example, a different text can be shown whether a mobile phone is hold in portrait or landscape mode or whether the document is displayed on a screen or printed out. But there are lots of other options: for example, mail clients can be fingerprinted based on the@supportconditional rule or various proprietary conditional statements of certain clients can be applied.Without going into detail here, in the scope of our research we found conditional CSS to show/hide certain text for virtually every email client that exists.
CSS blinding options
We identified seven CSS properties which can be used for covert content attacks as shown below. However, this list is unlikely to be complete because CSS is very complex and offers more possibilities to hide text.
Impact
The attack allows Eve to obtain valid signatures for arbitrary content to be displayed. This can be used to trick a third party, which relies on the authenticity and integrity of signed messages, to perform certain actions (such as starting a war). A forensic analysis can reveal the deception, but then it may already be too late (the war is already declared).
Countermeasures
There are three options to counter the attack, each with a usability-security trade-off:
<style>(or<link rel="stylesheet") from the original message, so that they cannot be used as signing oracles, based on blinding text with CSS conditional statements.Greetings, Jens