PSA: keep your code signing keys inaccessible to email clients
74 views
Skip to first unread message
Jean-Philippe Ouellet
May 14, 2018, 11:20:58 AM5/14/18
to qubes-devel
Shouldn't be terribly surprising to this crowd, but: https://efail.de/
Simply using split-pgp does *NOT* protect you against this, especially
if you have agent authorization with a non-zero timeout.
The immediate impact on Qubes developers is that one should use
separate keys for email and code signing, have your secret keys in
separate split-gpg backend domains, and not allow any VM with an email
client to make requests to the VM holding your code-signing keys. In
other words, have disjoint sets of development and communication
domains.
I'm glad I had the foresight to so this since the beginning.
Yet another instance of features combining in unfortunate ways [1][2].
Yay complexity! :/
Regards,
Jean-Philippe
[1]: https://web.archive.org/web/20170714094731/http://www.tedunangst.com/flak/post/features-are-faults
[2]: https://web.archive.org/web/20170611213655/https://www.tedunangst.com/flak/post/features-are-faults-redux
Simply using split-pgp does *NOT* protect you against this, especially
if you have agent authorization with a non-zero timeout.
The immediate impact on Qubes developers is that one should use
separate keys for email and code signing, have your secret keys in
separate split-gpg backend domains, and not allow any VM with an email
client to make requests to the VM holding your code-signing keys. In
other words, have disjoint sets of development and communication
domains.
I'm glad I had the foresight to so this since the beginning.
Yet another instance of features combining in unfortunate ways [1][2].
Yay complexity! :/
Regards,
Jean-Philippe
[1]: https://web.archive.org/web/20170714094731/http://www.tedunangst.com/flak/post/features-are-faults
[2]: https://web.archive.org/web/20170611213655/https://www.tedunangst.com/flak/post/features-are-faults-redux
Holger Levsen
May 14, 2018, 11:26:07 AM5/14/18
to qubes-devel
On Mon, May 14, 2018 at 11:20:29AM -0400, Jean-Philippe Ouellet wrote:
> The immediate impact on Qubes developers is that one should use
> separate keys…
> The immediate impact on Qubes developers is that one should use
or simple use an email client which cannot display html and doesnt
active elements and reloading stuff from the internet. there are plenty
of those good old email clients :)
--
cheers,
Holger
Konstantin Ryabitsev
May 14, 2018, 11:28:40 AM5/14/18
to Jean-Philippe Ouellet, qubes-devel
On 05/14/18 11:20, Jean-Philippe Ouellet wrote:
> Shouldn't be terribly surprising to this crowd, but: https://efail.de/
>
> Simply using split-pgp does *NOT* protect you against this, especially
> if you have agent authorization with a non-zero timeout.
>
> The immediate impact on Qubes developers is that one should use
> separate keys for email and code signing, have your secret keys in
> separate split-gpg backend domains, and not allow any VM with an email
> client to make requests to the VM holding your code-signing keys. In
> other words, have disjoint sets of development and communication
> domains.
Not that it's a wrong recommendation, but the efail stuff is not about
> Shouldn't be terribly surprising to this crowd, but: https://efail.de/
>
> Simply using split-pgp does *NOT* protect you against this, especially
> if you have agent authorization with a non-zero timeout.
>
> The immediate impact on Qubes developers is that one should use
> separate keys for email and code signing, have your secret keys in
> separate split-gpg backend domains, and not allow any VM with an email
> client to make requests to the VM holding your code-signing keys. In
> other words, have disjoint sets of development and communication
> domains.
exposing keys -- it's a way to leak cleartext via HTML messages. There
is no way efail would allow leaking someone's signing keys.
Regards,
--
Konstantin Ryabitsev
Director, IT Infrastructure Security
The Linux Foundation
Jean-Philippe Ouellet
May 14, 2018, 11:30:37 AM5/14/18
to qubes-devel
I would not be one bit surprised if there's some memory corruption
lurking somewhere in mutt, so I think separating email and signing is
a good idea regardless.
I've made this argument before, but now there's a recent concrete
example as motivation.
Holger Levsen
May 14, 2018, 11:37:09 AM5/14/18
to qubes-devel
On Mon, May 14, 2018 at 11:30:09AM -0400, Jean-Philippe Ouellet wrote:
> On Mon, May 14, 2018 at 11:26 AM, Holger Levsen <hol...@layer-acht.org> wrote:
> > On Mon, May 14, 2018 at 11:20:29AM -0400, Jean-Philippe Ouellet wrote:
> >> The immediate impact on Qubes developers is that one should use
> >> separate keys…
> >
> > or simple use an email client which cannot display html and doesnt
> > active elements and reloading stuff from the internet. there are plenty
> > of those good old email clients :)
>
> I agree with your recommendation, but consider it orthogonal.
>
> I would not be one bit surprised if there's some memory corruption
> lurking somewhere in mutt, so I think separating email and signing is
> a good idea regardless.
I agree. (and should have used "and" instead of "or" as my first word in
> On Mon, May 14, 2018 at 11:26 AM, Holger Levsen <hol...@layer-acht.org> wrote:
> > On Mon, May 14, 2018 at 11:20:29AM -0400, Jean-Philippe Ouellet wrote:
> >> The immediate impact on Qubes developers is that one should use
> >> separate keys…
> >
> > or simple use an email client which cannot display html and doesnt
> > active elements and reloading stuff from the internet. there are plenty
> > of those good old email clients :)
>
> I agree with your recommendation, but consider it orthogonal.
>
> I would not be one bit surprised if there's some memory corruption
> lurking somewhere in mutt, so I think separating email and signing is
> a good idea regardless.
the previous reply.)
And this is even nicely documented, see qubes-doc/security/split-gpg.md
and "Advanced: Using Split GPG with Subkeys" there.
--
cheers,
Holger
Jean-Philippe Ouellet
May 14, 2018, 11:37:31 AM5/14/18
to Konstantin Ryabitsev, qubes-devel
Still though.
Joe
May 16, 2018, 10:53:49 AM5/16/18
to qubes...@googlegroups.com
On 05/14/2018 05:30 PM, Jean-Philippe Ouellet wrote:
> On Mon, May 14, 2018 at 11:26 AM, Holger Levsen <hol...@layer-acht.org> wrote:
>> On Mon, May 14, 2018 at 11:20:29AM -0400, Jean-Philippe Ouellet wrote:
>>> The immediate impact on Qubes developers is that one should use
>>> separate keys…
>>
>> or simple use an email client which cannot display html and doesnt
>> active elements and reloading stuff from the internet. there are plenty
>> of those good old email clients :)
>
> I agree with your recommendation, but consider it orthogonal.
>
> I would not be one bit surprised if there's some memory corruption
> lurking somewhere in mutt, so I think separating email and signing is
> a good idea regardless.
Pretty sure there are more lurking in Thunderbird :-)
> On Mon, May 14, 2018 at 11:26 AM, Holger Levsen <hol...@layer-acht.org> wrote:
>> On Mon, May 14, 2018 at 11:20:29AM -0400, Jean-Philippe Ouellet wrote:
>>> The immediate impact on Qubes developers is that one should use
>>> separate keys…
>>
>> or simple use an email client which cannot display html and doesnt
>> active elements and reloading stuff from the internet. there are plenty
>> of those good old email clients :)
>
> I agree with your recommendation, but consider it orthogonal.
>
> I would not be one bit surprised if there's some memory corruption
> lurking somewhere in mutt, so I think separating email and signing is
> a good idea regardless.
But in any case gpg signing is pretty tricky.
For instance the "clearsign" thing is basically worthless.
Marek Marczykowski-Górecki
May 16, 2018, 11:12:21 AM5/16/18
to Jean-Philippe Ouellet, Konstantin Ryabitsev, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Even if this issue doesn't allow to steal private keys, we do have
separate keys for code signing. Generally our policy for keys included
in qubes-builder/qubes-developers-keys.asc is:
1. Key generated and stored in dedicated VM, using split gpg.
2. Key used solely for Qubes OS code signing (not even just code
signing)
3. Separate devel VM with access to that key (qubes.Gpg service policy).
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlr8Sk0ACgkQ24/THMrX
1ywAuwgAmtCL6HKf05q3nWrfB6ETnn6PK5vGJy8eDv0wNyf23NQ8jHh0Nf9nUSB4
hjpuhMpjVY4IRfeKNmNdp55d5bljzV1ArZpM+00sicZrciFU+i1XoRCtVNxuiaZC
pfIEkKp2ymNuESUiJ15c8lK//VQD/NS8OaziwdP1er1mNPcyEy7vXTvpx84i7xRB
c/WgTA3PTjHqoVN2AoXkzSoFXjbBbJhCOpH1Maov/jvNoyFXZv0Xm/CUXb2NY9Fo
E8EmhO8wd+zR73YRK/OEZ3/ZZX8tOqUGdkmyAvNa3v2b4eIzrtbyhfCuVjDs6F/h
yoKSCek8Nbym0qX8K8bfUgrj+OHDLA==
=g+eQ
-----END PGP SIGNATURE-----
Hash: SHA256
separate keys for code signing. Generally our policy for keys included
in qubes-builder/qubes-developers-keys.asc is:
1. Key generated and stored in dedicated VM, using split gpg.
2. Key used solely for Qubes OS code signing (not even just code
signing)
3. Separate devel VM with access to that key (qubes.Gpg service policy).
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlr8Sk0ACgkQ24/THMrX
1ywAuwgAmtCL6HKf05q3nWrfB6ETnn6PK5vGJy8eDv0wNyf23NQ8jHh0Nf9nUSB4
hjpuhMpjVY4IRfeKNmNdp55d5bljzV1ArZpM+00sicZrciFU+i1XoRCtVNxuiaZC
pfIEkKp2ymNuESUiJ15c8lK//VQD/NS8OaziwdP1er1mNPcyEy7vXTvpx84i7xRB
c/WgTA3PTjHqoVN2AoXkzSoFXjbBbJhCOpH1Maov/jvNoyFXZv0Xm/CUXb2NY9Fo
E8EmhO8wd+zR73YRK/OEZ3/ZZX8tOqUGdkmyAvNa3v2b4eIzrtbyhfCuVjDs6F/h
yoKSCek8Nbym0qX8K8bfUgrj+OHDLA==
=g+eQ
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages