Re: What's up Johnny?
Artifacts for the DEF CON talk | draft paper here
We show practical attacks against OpenPGP and S/MIME encryption and digital signatures in the context of email. Instead of targeting the underlying cryptographic primitives, our attacks abuse legitimate features of the MIME standard and HTML, as supported by email clients, to deceive the user regarding the actual message content. We demonstrate how the attacker can unknowingly abuse the user as a decryption oracle by replying to an unsuspicious looking email. Using this technique, the plaintext of hundreds of encrypted emails can be leaked at once. Furthermore, we show how users could be tricked into signing arbitrary text by replying to emails containing CSS conditional rules. An evaluation shows that 17 out of 19 OpenPGP-capable email clients, as well as 21 out of 22 clients supporting S/MIME, are vulnerable to at least one attack. We provide different countermeasures and discuss their advantages and disadvantages.
To test if your client can be misused as a decryption oracle, follow these steps:
- Import the S/MIME and PGP secret keys into your email client
- Before continuing, verify that you can sucessfully decrypt...
- Move the .eml file to your inbox (e.g. drag-and-drop in Thunderbird)
- Do the modified multipart messages in
- If so, are they included in reply messages? Can you hide them?
To be misused as a signing oracle, a mail client needs to support:
- internal/external CSS styles (see
- CSS conditional statements (see
- or other conditional rules as documented in the paper
- CSS blinding options (see