PGP and EFail

Well, this is just great. The only good end to end encryption system for email that’s been proven and vetted is now suspect. This is due to bad plugins, and a failure to enforce integrity checking, and embedding encrypted text into an html message designed to take advantage of your mail parsers html renderer to exfiltrate the text your mail client has decrypted to another destination.

Another issue has to do with the fact that PGP uses underlying primitives from SHA-1, which are known to be no longer secure. Because of this, the security of PGP begins to break down with a 4096 bit key. Thus a 2048 bit key is more secure. If the first 4640 bytes of a message are known, the 160 byte key be determined, and thus the state of your random number generator predicted, allowing the attacker to potentially regenerate the 512 bytes that created your 4096 bit key. This doesn’t happen at 2048 bit key size. Of course, a 2048 bit key is not secure for long term usage anymore, due to the increased available computing power for your average attacker.

PGP should really move to an AES base, and have mandatory enforced integrity checking, which plugins should follow as well. This will not prevent someone from attacking cyphertext embedded in cleartext html that your email client then decrypts, so email clients should refuse to decrypt said text within the html contents, but should do so in a sandbox that the potentially malicious html in the clients html renderer can not access. Better yet, PGP mail plugins should refuse mixed media messages where the cypher text is embedded in another document medium other than plain text.

Also, you should keep in mind, even if your email client plugin is not vulnerable to exfiltration attacks, it doesn’t mean the clients of all the people you communicate with are not. So for now, PGP really shouldn’t be used with an automated pgp decryption plugin in the email client, but rather the cypher text should be extracted and manually decrypted from the command line by all parties. Since you can’t enforce that, you should not use PGP for encrypted email communications until at least the major email platforms are patched to prevent such an exploit.

At this time, I wouldn’t recommend PGP as a main form of end to end encryption either. Until the underlying cryptographic primitives are upgraded, and even then, I would have a strict anti-legacy PGP protocol policy in place. Really, in it’s current form, I would not use PGP for anything more than signature verification. Thankfully that aspect is still secure.

Currently, there are no suitable alternatives to PGP that are verified and secured to replace it for email communications. This is a major blow to secure email communications, and it will take time to fix PGP or to vette an appropriate replacement. Don’t even get me started on S/MIME, that ship has even more vagrant leaks than the titanic after it hit the iceberg. In the mean time, keep your head up, and keep your eyes open.

Network Down!

Had to deal with a server today that lost it’s network connectivity thanks to a Windows patch. Apparently when applied, it caused the interfaces ID’s to get renumbered, and no longer have their static IP information assigned to them. Now instead of network card having the ID of 13, it now has the ID of 15, thus the settings for ID 13 no longer point at any hardware. Of course, I couldn’t just assign the static IP information to ID 15, since they were already in use by the non-existent card at ID 13. It was a customers server, so I’m not exactly sure which patch did it, but I think it was KB4088875. Regardless, I purged the records for the network card at ID 13, and applied them to the correct ID. All is good now, but the customer is pretty upset that they had to get a remote hands session to take care of it. All said and done, the server is up and running, and my belief that Windows doesn’t belong in the datacenter is reenforced. Heck, I don’t think it belongs on the desktop either, but that’s just me.

Simple Trick to Prevent Access Via Direct Call to index.php

I’ve developed an awesome bit of code that will check to see if your index page is set to the same name as the SELF constant, and if not, it will display a 404 error page if it happens to be in the URL.

/**
 * Protect default route
 *
 * @access public
 * @param string $method method name
 * @param array $params array of parameters
 * @return mixed
 */
public function _remap(string $method, $params = [])
{
 $default_controller = trim(mb_strtolower($this->router->default_controller));
 $request_controller = trim(mb_strtolower($this->uri->segment(1)));
 // prevent duplications of the default route
 if (
 $default_controller == $request_controller &&
 $method == 'index'
 ) {
 show_404();
 }
 // Determine if the entry script is in the beginning of the url
 $index_check = substr($_SERVER['REQUEST_URI'], 1, mb_strlen(SELF));
 // prevent direct access to entry script if it's not defined
 // in the configuration (such as in the case of removal for pretty urls)
 if (
 $this->config->item('index_page') != SELF &&
 $index_check == SELF
 ) {
 show_404();
 }
 if (method_exists($this, $method)) {
 // if method exists
 // call method and pass any parameters we recieved onto it.
 return call_user_func_array(array($this, $method), $params);
 } else {
 show_404();
 }
}

You can utilize it by placing it into your controller script, I recommend creating a MY_Controller.php in your application/core path, and putting it inside that. Refer to the CodeIgniter manual for more information on that. You can also take a look at my autoloader hook if you want to use custom base controllers. Finally, I’ve made a little skeleton project that has the basic modifications I use in it. You won’t find HVMC in it currently, because I’m not currently using those mods in my projects. Enjoy.

Long Weekend

It’s been a long weekend. I’ve been working on a budgetary plan in order to improve my credit score so that I can replace my failing vehicle. It kind of sucks being broke all the time. Of course, the problem is me, not how much money I take in. I really need to get a handle on my expenses. I find that I buy a lot of trivial crap. Anyway, I’ve set a plan for myself to put things to rights, and hopefully I’ll have the money to get my new car in about 6 – 8 months if all goes well.

Another expense that I need to save up for is a new computer. I can get by with what I have for now, the car comes first. The car is what gets me to work to make the money with which I will purchase said computer. I’ll just have to eek buy on my meager resources until then. I’ve got some spare parts lying around, I may be able to get a little more life out of my main desktop with those. We’ll see what happens.

Winter Mayhem 2018

Huge snowstorm came through the city today. I left and went home as a result. Between the time I left the office and the time I got to where I was going, nearly 6″ of snow had fallen, and it was still coming. I looked at the news, and we are expecting between 6 and 18 inches of snow, depending on what part of the city you are in. Freaking ridiculous! The city is like a ghost town, nobody on the roads that doesn’t need to be. Downtown Minneapolis is practically shutdown, as they sent anyone home who didn’t absolutely need to be there. Many businesses just up and closed for the day. Didn’t get any shipping done at work either, because FedEx had pulled their drivers off the roads out of safety concerns.

Welcome to Minnesota! The states attitude is just like that good ol’ Minnesota nice, just a few degrees colder! Seriously, it’s been a hell of a day. I’m just glad I’m somewhere warm and safe. Tomorrow, I’ll be ready to go out and do it all over again!