back to article Pretty wild that a malicious mailto: link might attach your secret keys and files from your PC to an outgoing message

Boffins testing the security of OpenPGP and S/MIME, two end-to-end encryption schemes for email, recently found multiple vulnerabilities in the way email client software deals with certificates and key exchange mechanisms. They found that five out of 18 OpenPGP-capable email clients and six out of 18 S/MIME-capable clients are …

  1. NetBlackOps Bronze badge

    Your security boundary should extend beyond the device on which you are communicating with another. In other words, do the encryption/decryption on another device entirely and copy the encrypted text only from/to your communication device. PITA, but these flaws are just another collection that have been found after the last two sets found in the past.

    1. Snake Silver badge

      Moving security boundaries

      That only moves the target to another machine, a machine that is connected via a vulnerable transmission system. If you can't crack the encoding of the encryption engine of your proposed server/client topology, a worm that taps the network feed or a even a rootkit on the more vulnerable client will do just as well.

      All this plan does is add more nodes thereby crafting a larger potential attack surface. At the least it is better to minimize your surface profile and keep unencrypted data on a single machine/user interface, rather than attempt to secure multiple machine vectors plus the vulnerable communications links between them.

    2. David Shaw

      exactly this. I was required to upload details of my "DUQU" attack from the usual suspects to my CERT. They required an encrypted email. I chose (randomly) one of our hundreds of offline PCs, in a random room. Composed the encrypted text and sent it.

      cue: instantly vast numbers (twenty a week, up from zero) of 'spam' (stuff that pretended to be spam, containing lots of evil code), they carried on for weeks, also sent some, highly selectively, to just me & my boss, out of the thousands of staff at work. So obvious, you might have well have signed it Cheltenham & Gloucester Building Society.est1850 .#

      My CERT was eventually satisfied; the 'masters of the internet' presumably now have my plaintext - guys/gals/inter: if you *really* need something, then just phone and ask - not everything needs to be put as highest priority in your plausibly-deniable-obfuscated-malware-SPAM-cannon

      #other autocratic nations presumably similarly go after everything encrypted, but why don't I notice their attacks?

  2. cantankerous swineherd Silver badge

    don't use email.

    1. chivo243 Silver badge

      email is unreliable. Many moons ago, I read an article(maybe here?) where a guy did a study, emailing thousands of people regularly, people who were part of the study, and knew to reply, and I seem to remember a number like 89% success...

      1. IGotOut Silver badge

        Email has and always be a best effort system

        That 98% sound waaaay to low a success rate though. Unless of course he got flagged as spam

  3. Sitaram Chamarty

    hah! paranoia pays off

    I've always been a paranoid bugger who runs the mail client in one userid, and 3 different browsers in 2 other userids.

    If the malicious link appeared on a web page, it would hit a blank wall -- the userid that is running the browser won't find an email client running, and even if it starts one it's definitely not configured to do anything.

    It's also fairly easy to setup this kind of separation in Linux; I imagine a lot of people may be doing similar things (if they're paranoid enough that is).

    1. bombastic bob Silver badge

      Re: hah! paranoia pays off

      yeah I generally don't trust 'mailto' links either, and always examine the e-mail before sending something. Having attachments pre-loaded [especially if it's something important from a known location] is obviously bad [what is /etc/shadow and my e-mail address book doing attached to this e-mail?] but I haven't directly clicked on links in e-mails in YEARS, if not even DECADES.

      That is because I _ALWAYS_ view e-mail as plain text. It's amazing how many unsolicited e-mails have embedded links within them, sometimes to embedded attachments, but often long alphabet-soup links to web sites that can THEN track you or confirm you received their spam. And of course they hide it with a legit looking link inside the 'a' tag, which is obvious bogus when NOT viewed as HTML...

      and a 'mailto' within an e-mail would show up the same way. web site links, however, are (obviously) still subject to trickery.

      1. Doctor Syntax Silver badge

        Re: hah! paranoia pays off

        Even the links which, at first glance, look kosher turn out to be subdomains hosted by somebody else.

  4. Mike 137 Silver badge

    Getting it right

    El Reg: "Pegasus Mail is said to be affected though it doesn't have a designated CVE – it may be that one of the unidentified CVEs applies here."

    The paper: "Similar attacks were found in 2000 for Pegasus... " ref: CVE-2000-0930 (Pegasus Mail 3.12)"

    There are no subsequent reports. Pegasus is now at V4.73 (2018) and uses entirely different transport security mechanisms.

    Pegasus is, and always has been, generally very robust and bug free, so don't take the Reg's negative implication as gospel.

    1. hoagy_ytfc

      Re: Getting it right

      Glad to hear you’re bug free. Does that include unknown bugs?

  5. Peter X

    Vuln exists on Thunbird 68.10.0/Mint Cinnamon 19.3

    I'm super disappointed at that. :(

  6. Paul Hovnanian Silver badge

    Lets see ...

    My web page has a mailto link. But the web server that hands out that link runs as a relatively untrusted user on my machine*. And all of the private keys, security tokens and other detritus needed to support encryption/decryption/certificate signing reside outside of the scope of its permissions. How is it going to get hold of anything interesting?

    *Actually, my web page is hosted on a completely different machine in a data center in a city far, far away from my e-mail clients. My MX record doesn't point to anything more interesting than a system that knows where to forward my stuff.

    1. doublelayer Silver badge

      Re: Lets see ...

      It has nothing to do with your server. That's as secure as it was before. It's your users who might have the problem if you decided to alter the content of the pages you are pushing out. Specifically, if you modified the link, they clicked the link, their mail client didn't block your change, they didn't see your modification, and they sent a message, you could get them to divulge a file from their system.

      1. Paul Hovnanian Silver badge

        Re: Lets see ...

        Oops. Somehow, I read that threat the other way around.

        Nevertheless, my mailer won't attach something unless the specified file's extension is listed in its mime types. If the file type isn't listed, I've got to zip or gzip it manually.

  7. Claptrap314 Silver badge

    I had this idea decades ago..

    Around 1998. Each user id need to be an admin for sub-ids that they create, one per application.

    Pain in the *** to administer. But cheaper than nuking the whole thing from orbit.

  8. EnviableOne Silver badge

    Has to be in Outlook

    one of them unlisted ones has to be in outlook ....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021