ietf-openpgp
[Top] [All Lists]

[openpgp] Enigmail XSA issue with WKD and HTTP authentication

2018-12-07 08:45:01
Cross-posting this here as I believe this is something that should be
clarified in the WKD draft/standard.

There's an issue in Enigmail that can potentially be abused for
phishing attacks involving WKD and HTTP authentication.

Web Key Directory or WKD [1] is a feature where OpenPGP keys can be
fetched via a defined web address of the form
https://example.org/.well-known/./openpgpkey/hu/[zbase32_sha1_hash_of_local_part]

Enigmail automatically tries to fetch WKD keys already when writing a
mail, so simply having a mail address in "To" will cause an HTTPS
request.

When the server answers with a HTTP authentication challenge (HTTP code
401) then Enigmail/Thunderbird would open up an HTTP login window.
While the login window will show the hostname, this can be very
confusing for a user. If randomly a login window pops up within a mail
client it's plausible that some users will enter their email
credentials. Here's a video to illustrate the issue:
https://www.youtube.com/watch?v=eFSMBX98XiE

Similar attacks in browsers have previously been described as
"Cross-Site-Authentication" or XSA [2].

I think it would be good if the WKD draft would be updated to clarify
that a client should never answer to any 401 authentication requests
from the server.


I discovered this together with Moritz Tremmel (We discovered this by
accident due to a server serving HTTP authentication requests for
every path starting with a dot). After we reported this to Enigmail we
learned that this was previously reported in the public bug tracker:
https://sourceforge.net/p/enigmail/bugs/890/

[1] https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07
[2]
http://www.joachim-breitner.de/blog/56-Like_XSS,_just_simpler_and_harder_to_prevent__The_Cross_Site_Auth_(XSA)_Attack

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno(_at_)hboeck(_dot_)de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp