[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:18.07,Default,,0000,0000,0000,,{\i1}35C3 preroll music{\i0}
Dialogue: 0,0:00:18.07,0:00:24.07,Default,,0000,0000,0000,,Herald: The following talk is about email\Nencryption. Who worries that their email
Dialogue: 0,0:00:24.07,0:00:32.80,Default,,0000,0000,0000,,encryption might be capable of being\Nhacked or cracked? Worry not as far as I'm
Dialogue: 0,0:00:32.80,0:00:40.05,Default,,0000,0000,0000,,told it still is rather secure. But. And\Nthe but will be answered by Sebastian
Dialogue: 0,0:00:40.05,0:00:45.88,Default,,0000,0000,0000,,Schinzel who is one of the eight security\Nresearchers who uncovered the drama and
Dialogue: 0,0:00:45.88,0:00:54.83,Default,,0000,0000,0000,,the details behind e-fail. A recently\Noccurred issue with OpenPGP and S/MIME
Dialogue: 0,0:00:54.83,0:00:59.60,Default,,0000,0000,0000,,in a lot of email clients. All the\Ntechnical details he will dig into so
Dialogue: 0,0:00:59.60,0:01:03.34,Default,,0000,0000,0000,,please give a warm hand of applause for\NSebastian Schinzel.
Dialogue: 0,0:01:03.34,0:01:09.85,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:01:09.85,0:01:15.08,Default,,0000,0000,0000,,Sebastian: So it's good to be back. Thank\Nyou everyone for coming. My name is
Dialogue: 0,0:01:15.08,0:01:22.08,Default,,0000,0000,0000,,Sebastian. It's my fourth talk here at the\NCCC. And the other talks that I did were
Dialogue: 0,0:01:22.08,0:01:27.26,Default,,0000,0000,0000,,also on encryption so I somehow like\Nencryption and I like analyzing encryption
Dialogue: 0,0:01:27.26,0:01:31.32,Default,,0000,0000,0000,,and I like to break encryption. So I did a\Ntalk on TLS where we found an attack
Dialogue: 0,0:01:31.32,0:01:39.07,Default,,0000,0000,0000,,against TLS and against XML encryption for\Nexample. And I usually start my talk by
Dialogue: 0,0:01:39.07,0:01:45.03,Default,,0000,0000,0000,,asking Who's using this this specific\Ntechnology, right? Because when you when
Dialogue: 0,0:01:45.03,0:01:49.71,Default,,0000,0000,0000,,you usually when you're analyzing or doing\Na talk about a communication protocol you
Dialogue: 0,0:01:49.71,0:01:57.14,Default,,0000,0000,0000,,ask the people who's using that and you\Nknow for e-mail it would be silly, right?
Dialogue: 0,0:01:57.14,0:02:00.20,Default,,0000,0000,0000,,Because, who's using e-mail. \NEvery one of you is using e-mail.
Dialogue: 0,0:02:00.20,0:02:04.92,Default,,0000,0000,0000,,OK. Because I don't know. I mean when you\Nstarted using the Internet like
Dialogue: 0,0:02:04.92,0:02:10.37,Default,,0000,0000,0000,,in the last 20 years or so usually\Nthe first thing that you do you dial in
Dialogue: 0,0:02:10.37,0:02:13.41,Default,,0000,0000,0000,,onto the Internet and you make\Nyourself an e-mail address, right?
Dialogue: 0,0:02:13.41,0:02:20.98,Default,,0000,0000,0000,,So everyone has everyone uses e-mail. But\Nlet's take a look at how things work when
Dialogue: 0,0:02:20.98,0:02:25.36,Default,,0000,0000,0000,,when you send an email. So when you click\Nin your email client when you when you
Dialogue: 0,0:02:25.36,0:02:30.33,Default,,0000,0000,0000,,compose an email and you click into your\Nemail client "Send". So the first thing is
Dialogue: 0,0:02:30.33,0:02:34.99,Default,,0000,0000,0000,,on one of your devices you're using the\Nlocal network and there's a green arrow
Dialogue: 0,0:02:34.99,0:02:40.79,Default,,0000,0000,0000,,because it's under your control. So you\Ncan define by yourself how secure this
Dialogue: 0,0:02:40.79,0:02:45.56,Default,,0000,0000,0000,,link is gonna be. Then you use the next\Nconnection and the next connection will be
Dialogue: 0,0:02:45.56,0:02:50.44,Default,,0000,0000,0000,,to your SMTP server. And this is also a \Ngreen arrow because it's under your control.
Dialogue: 0,0:02:50.44,0:02:53.34,Default,,0000,0000,0000,,Okay. You can control this \Nand usually it's TLS.
Dialogue: 0,0:02:53.34,0:02:58.95,Default,,0000,0000,0000,,The same as valid for your IMAP\Nfolder because always when you send an
Dialogue: 0,0:02:58.95,0:03:07.18,Default,,0000,0000,0000,,email via SMTP you will upload a copy to\Nyour "sent" folder on IMAP and it uses TLS
Dialogue: 0,0:03:07.18,0:03:12.38,Default,,0000,0000,0000,,in most of the cases so therefore the\Narrow is green. The arrow is not that
Dialogue: 0,0:03:12.38,0:03:17.66,Default,,0000,0000,0000,,green anymore when it comes to the backup\Nstrategy for example an archiving strategy
Dialogue: 0,0:03:17.66,0:03:23.60,Default,,0000,0000,0000,,of your email provider which may be gmail\Nor gmx for example or your company. OK.
Dialogue: 0,0:03:23.60,0:03:27.37,Default,,0000,0000,0000,,But you may have a chance to know the\Nadministrators and ask him whether they
Dialogue: 0,0:03:27.37,0:03:33.58,Default,,0000,0000,0000,,are doing a good job and stuff like\Nthat. You're also - it's not under your
Dialogue: 0,0:03:33.58,0:03:38.84,Default,,0000,0000,0000,,control where else your email is uploaded\Nto. So for example in order to check it
Dialogue: 0,0:03:38.84,0:03:44.62,Default,,0000,0000,0000,,for antivirus or anti spam and stuff like\Nthat, right? So it gets uploaded to some
Dialogue: 0,0:03:44.62,0:03:50.39,Default,,0000,0000,0000,,cloud, right? Because you want to do a\Nspam filtering and then it goes out to the
Dialogue: 0,0:03:50.39,0:03:54.20,Default,,0000,0000,0000,,Internet and you know we learned what's\Nhappening on the Internet. People are
Dialogue: 0,0:03:54.20,0:04:00.46,Default,,0000,0000,0000,,listening in on the Internet and we heard\Nfrom Edward Snowden for example that many
Dialogue: 0,0:04:00.46,0:04:05.15,Default,,0000,0000,0000,,nation state actors and agencies are\Ndoing this as well they are listening into
Dialogue: 0,0:04:05.15,0:04:11.55,Default,,0000,0000,0000,,your e-mails or they at least try to. And\Nthen the arrows get red as soon as it hits
Dialogue: 0,0:04:11.55,0:04:16.43,Default,,0000,0000,0000,,the SMTP server of the receiver. Right.\NBecause you don't really know whether they
Dialogue: 0,0:04:16.43,0:04:21.25,Default,,0000,0000,0000,,are using TLS, encryption in any case. You\Ndon't know whether they upload it to
Dialogue: 0,0:04:21.25,0:04:27.04,Default,,0000,0000,0000,,another antivirus vendor or so and then it\Ngets uploaded to the IMAP folder to the
Dialogue: 0,0:04:27.04,0:04:31.99,Default,,0000,0000,0000,,inbox of the receiver where it gets\Narchived again, right? There is a backup
Dialogue: 0,0:04:31.99,0:04:38.31,Default,,0000,0000,0000,,is being done and stuff like that, it's\Narchived. And then finally the receiver of
Dialogue: 0,0:04:38.31,0:04:42.83,Default,,0000,0000,0000,,the e-mail has the ability to check his\Nown email and retrieve the e-mail
Dialogue: 0,0:04:42.83,0:04:49.15,Default,,0000,0000,0000,,from his inbox. OK. So even if you know\Nthat the other person that you've just
Dialogue: 0,0:04:49.15,0:04:53.49,Default,,0000,0000,0000,,sent the e-mail to does a good job in\Nsecuring it and uses encryption everywhere
Dialogue: 0,0:04:53.49,0:04:56.38,Default,,0000,0000,0000,,and so on and so on.\NYou never know whether there's some
Dialogue: 0,0:04:56.38,0:05:01.78,Default,,0000,0000,0000,,attacker or so who has compromised the\Ninfrastructure and so on and so on. OK.
Dialogue: 0,0:05:01.78,0:05:06.79,Default,,0000,0000,0000,,And this problem multiplies.\NWhen you send an e-mail to multiple people
Dialogue: 0,0:05:06.79,0:05:11.14,Default,,0000,0000,0000,,because then all of a sudden the e-mail\Nthat you just sent, your e-mail, hits
Dialogue: 0,0:05:11.14,0:05:17.27,Default,,0000,0000,0000,,infrastructures of many other people. OK?\NSo many people have access to this
Dialogue: 0,0:05:17.27,0:05:22.14,Default,,0000,0000,0000,,e-mail and this is the first thing that I\Nwant to - this is the first point that I
Dialogue: 0,0:05:22.14,0:05:27.43,Default,,0000,0000,0000,,want to make in this talk. People usually\Ntalk about their e-mail. It's my e-mail,
Dialogue: 0,0:05:27.43,0:05:31.96,Default,,0000,0000,0000,,you know? And when I run my own mail server\Nit's going to be secure but this is not
Dialogue: 0,0:05:31.96,0:05:36.63,Default,,0000,0000,0000,,the case. I mean the the point of\Nusing e-mail is distributing it to your
Dialogue: 0,0:05:36.63,0:05:40.03,Default,,0000,0000,0000,,friends to your colleagues and so on and\Nso on because we want to exchange.
Dialogue: 0,0:05:40.03,0:05:43.43,Default,,0000,0000,0000,,It's a communication method but the\Ncommunication is archived so people
Dialogue: 0,0:05:43.43,0:05:52.12,Default,,0000,0000,0000,,archive this and so on and so on. So it's\Nit's a mess basically. OK. So for the rest
Dialogue: 0,0:05:52.12,0:05:56.09,Default,,0000,0000,0000,,of this talk we need to have some\Nassumption that someone has access to the
Dialogue: 0,0:05:56.09,0:06:02.09,Default,,0000,0000,0000,,e-mails. OK. Because right. We just\Nlearned that it's distributed. You're
Dialogue: 0,0:06:02.09,0:06:05.62,Default,,0000,0000,0000,,archiving your own e-mails in your IMAP\Nfolder and so on and so on I have the
Dialogue: 0,0:06:05.62,0:06:09.52,Default,,0000,0000,0000,,e-mails of the last 15 years or so in my\Nin my IMAP folder and if someone gets
Dialogue: 0,0:06:09.52,0:06:14.94,Default,,0000,0000,0000,,access to it - right - boom. I have a\Nproblem. Okay. And in order to cope with
Dialogue: 0,0:06:14.94,0:06:19.09,Default,,0000,0000,0000,,this people came up with end-to-end\Nencryption. And there's two competing
Dialogue: 0,0:06:19.09,0:06:28.18,Default,,0000,0000,0000,,standards out there. The first one is\NOpenPGP. It was first defined in 1991 from
Dialogue: 0,0:06:28.18,0:06:32.34,Default,,0000,0000,0000,,Phil Zimmermann invited it. And this was\Nlike this happened in the first crypto
Dialogue: 0,0:06:32.34,0:06:39.40,Default,,0000,0000,0000,,wars. So this is a very interesting story.\NAnd it's the most widely used e-mail
Dialogue: 0,0:06:39.40,0:06:42.94,Default,,0000,0000,0000,,clients they they support OpenPGP but\Nonly when you when you download the
Dialogue: 0,0:06:42.94,0:06:48.59,Default,,0000,0000,0000,,plug-in, OK? For S/MIME you usually\Nhave native support in most of the
Dialogue: 0,0:06:48.59,0:06:52.90,Default,,0000,0000,0000,,applications so you just get an S/MIME\Ncertificate and off you go.
Dialogue: 0,0:06:52.90,0:06:57.02,Default,,0000,0000,0000,,You can just use it and it just works out\Nof the box but it's mostly used by
Dialogue: 0,0:06:57.02,0:07:01.53,Default,,0000,0000,0000,,corporate organizations and military for\Nexample right. Not so much by privacy
Dialogue: 0,0:07:01.53,0:07:06.70,Default,,0000,0000,0000,,advocates like OpenPGP.\NNow we can't measure very well how many
Dialogue: 0,0:07:06.70,0:07:11.23,Default,,0000,0000,0000,,people use S/MIME. We tried but there\Ndoesn't seem to be a public source where
Dialogue: 0,0:07:11.23,0:07:15.79,Default,,0000,0000,0000,,we can measure this but we can do it on\NPGP because PGP has key servers and you
Dialogue: 0,0:07:15.79,0:07:19.52,Default,,0000,0000,0000,,can upload your key there so that people\Ncan communicate with you in a secure
Dialogue: 0,0:07:19.52,0:07:26.15,Default,,0000,0000,0000,,manner. And this statistic here is the\Namount of new published public keys per
Dialogue: 0,0:07:26.15,0:07:32.92,Default,,0000,0000,0000,,month. And it started off very low in\N1997. Then in 2003 we saw a constant rise
Dialogue: 0,0:07:32.92,0:07:39.60,Default,,0000,0000,0000,,until 2013 where we see a a spike here\Nwhere it more than doubled. Does anyone
Dialogue: 0,0:07:39.60,0:07:43.33,Default,,0000,0000,0000,,know why we saw this spike in 2013?\NSomeone in the audience: Snowden!
Dialogue: 0,0:07:43.33,0:07:48.56,Default,,0000,0000,0000,,Sebastian: Snowden right. Edward Snowden\Nwe had the Snowden revelations and Edward
Dialogue: 0,0:07:48.56,0:07:54.06,Default,,0000,0000,0000,,Snowden uses PGP to communicate with the\Njournalists who did the actual, like,
Dialogue: 0,0:07:54.06,0:07:59.64,Default,,0000,0000,0000,,disclosure of the documents. And so we see\Nthis in the uploader keys so people use
Dialogue: 0,0:07:59.64,0:08:05.50,Default,,0000,0000,0000,,PGP much more. We also see this in \Nthe amount of daily users of Enigmail
Dialogue: 0,0:08:05.50,0:08:10.56,Default,,0000,0000,0000,,which is the plugin for Thunderbird. \NAnd you can extract this
Dialogue: 0,0:08:10.56,0:08:16.40,Default,,0000,0000,0000,,information and there we also see around\N2013 we see a jump and it increased by 50
Dialogue: 0,0:08:16.40,0:08:21.14,Default,,0000,0000,0000,,percent or so something like this. So\Npeople use PGP, right? It's not that many
Dialogue: 0,0:08:21.14,0:08:25.21,Default,,0000,0000,0000,,when you compare it to how many people use\Ne-mail a few hundred thousand is not that
Dialogue: 0,0:08:25.21,0:08:31.58,Default,,0000,0000,0000,,much but still it's a substantial number.\NThe problem here is we know for a fact
Dialogue: 0,0:08:31.58,0:08:38.00,Default,,0000,0000,0000,,that in the last 20 years or so especially\Nnon-technical users are not able to use
Dialogue: 0,0:08:38.00,0:08:43.86,Default,,0000,0000,0000,,PGP in a secure manner. Okay. So we have\Nthe first paper from '99: "Why Johnny
Dialogue: 0,0:08:43.86,0:08:49.09,Default,,0000,0000,0000,,Can't encrypt" and then we have a follow\Nup paper from 2006: "Why Johnny still
Dialogue: 0,0:08:49.09,0:08:54.70,Default,,0000,0000,0000,,can't encrypt", OK? So OK. Must've\Nbeen better I hope and then in 2015 we
Dialogue: 0,0:08:54.70,0:09:00.46,Default,,0000,0000,0000,,have "why Johnny Still, Still can't\Nencrypt". OK? so we have a long story
Dialogue: 0,0:09:00.46,0:09:06.17,Default,,0000,0000,0000,,where people try to use PGP but failed,\NOK? And this is not something that is
Dialogue: 0,0:09:06.17,0:09:13.31,Default,,0000,0000,0000,,inherent in an OpenPGP. We have the same\Npapers for S/MIME where they said
Dialogue: 0,0:09:13.31,0:09:18.24,Default,,0000,0000,0000,,novice users - and where they confronted \Nnovice users with with S/MIME and they
Dialogue: 0,0:09:18.24,0:09:23.26,Default,,0000,0000,0000,,failed, basically. They weren't able to \Nuse it in a secure manner. Okay.
Dialogue: 0,0:09:23.26,0:09:29.24,Default,,0000,0000,0000,,So therefore in order to enable people to\Nuse PGP, especially PGP and S/MIME in a
Dialogue: 0,0:09:29.24,0:09:34.30,Default,,0000,0000,0000,,secure manner you have many tutorials out\Nthere. And this is a very interesting
Dialogue: 0,0:09:34.30,0:09:38.90,Default,,0000,0000,0000,,tutorial because it's the original video\Nthat Edward Snowden recorded in order to
Dialogue: 0,0:09:38.90,0:09:44.48,Default,,0000,0000,0000,,teach Glenn Greenwald how to use openPGP.\NIt's still on Vimeo. The original video is
Dialogue: 0,0:09:44.48,0:09:49.33,Default,,0000,0000,0000,,still there. And what is interesting there\Nis he doesn't recommend a plugin for an
Dialogue: 0,0:09:49.33,0:09:55.17,Default,,0000,0000,0000,,email client. He basically says just use\Nweb mail and use this PGP standalone
Dialogue: 0,0:09:55.17,0:10:00.46,Default,,0000,0000,0000,,application type your message there click\Nencrypt and copy and paste the ciphertext
Dialogue: 0,0:10:00.46,0:10:06.04,Default,,0000,0000,0000,,into your web mail, OK? So there's no\Nintegration and others recommend for
Dialogue: 0,0:10:06.04,0:10:13.12,Default,,0000,0000,0000,,example Enigmail or GPGtools. Enigmail is\Nthe plugin for Thunderbird and GPGtools is
Dialogue: 0,0:10:13.12,0:10:18.39,Default,,0000,0000,0000,,the plug in for Apple mail, which \Nmeans that most of them had HTML
Dialogue: 0,0:10:18.39,0:10:22.97,Default,,0000,0000,0000,,switched on which is an interesting fact.\NOK. For something that we are going to
Dialogue: 0,0:10:22.97,0:10:29.34,Default,,0000,0000,0000,,talk about later. So I thought about how\Ncan I do this talk. And this is how I came
Dialogue: 0,0:10:29.34,0:10:33.65,Default,,0000,0000,0000,,up with the agenda. So we start off with\Nsome attacks that are very I find pretty
Dialogue: 0,0:10:33.65,0:10:37.26,Default,,0000,0000,0000,,interesting. At least for an academic they\Nare pretty interesting, and we slowly
Dialogue: 0,0:10:37.26,0:10:42.30,Default,,0000,0000,0000,,degrade to pretty silly attacks and you\Ndecide for yourself whether you would fall
Dialogue: 0,0:10:42.30,0:10:47.72,Default,,0000,0000,0000,,for it or not. I came to the conclusion\Nthat I would probably fall for them. OK,
Dialogue: 0,0:10:47.72,0:10:53.78,Default,,0000,0000,0000,,I lied. So we start off with something\Nthat is even worse than silly. So what is
Dialogue: 0,0:10:53.78,0:10:58.21,Default,,0000,0000,0000,,it what's the worst thing that can happen\Nwhen you're sending an encrypted mail.
Dialogue: 0,0:10:58.21,0:11:00.57,Default,,0000,0000,0000,,Audience: You send your private key.
Dialogue: 0,0:11:00.57,0:11:03.69,Default,,0000,0000,0000,,Sebastian: if you send your private key\Nthere would be bad. What's even worse?
Dialogue: 0,0:11:03.69,0:11:06.29,Default,,0000,0000,0000,,Audience: You forget to encrypt.
Dialogue: 0,0:11:06.29,0:11:11.77,Default,,0000,0000,0000,,Sebastian: you send a plain text. Okay\Nokay. So in 2014 there was a bug in
Dialogue: 0,0:11:11.77,0:11:16.21,Default,,0000,0000,0000,,Enigmail which is documented in their bug\Ntracker. So basically you compose an e-mail
Dialogue: 0,0:11:16.21,0:11:19.86,Default,,0000,0000,0000,,you tell Enigmail to sign and encrypt\Nit, and then you send it and it will be
Dialogue: 0,0:11:19.86,0:11:27.86,Default,,0000,0000,0000,,sent in plain text. Okay. Oh okay. This is\Nnot good. In 2017 Outlook did it much better
Dialogue: 0,0:11:27.86,0:11:32.71,Default,,0000,0000,0000,,because they did encrypt it but they\Npacked the plain text along with the
Dialogue: 0,0:11:32.71,0:11:42.35,Default,,0000,0000,0000,,ciphertext. (Audience: laughing) Okay. Bad.\NAnd then in 2018 you may remember this is
Dialogue: 0,0:11:42.35,0:11:48.27,Default,,0000,0000,0000,,just a few months back or so Enigmail or\Npretty easy privacy. It's a plugin to
Dialogue: 0,0:11:48.27,0:11:52.66,Default,,0000,0000,0000,,Enigmail, so a plugin to a plugin that's\Nactually used for novice users. It gave
Dialogue: 0,0:11:52.66,0:11:57.04,Default,,0000,0000,0000,,the feedback that the email that you're\Ncomposing will be encrypted but it wasn't.
Dialogue: 0,0:11:57.04,0:12:04.53,Default,,0000,0000,0000,,Okay. And the good news here is: the\Ne-mail attacks don't apply here because,
Dialogue: 0,0:12:04.53,0:12:10.23,Default,,0000,0000,0000,,OK, I mean, it's about I don't want to make\Nfun of any developers. The point that I'm
Dialogue: 0,0:12:10.23,0:12:16.01,Default,,0000,0000,0000,,trying to make here is that email is a\Nplaintext protocol and it's always very
Dialogue: 0,0:12:16.01,0:12:21.89,Default,,0000,0000,0000,,difficult to make a protocol that was made\Nfor plain text delivery - to make this
Dialogue: 0,0:12:21.89,0:12:26.04,Default,,0000,0000,0000,,encrypted. When you have a plaintext\Nfallback you're into trouble. Okay. And we
Dialogue: 0,0:12:26.04,0:12:33.71,Default,,0000,0000,0000,,we saw the same basically with HTTP and\NHTTPS. OK. So HTTPS is like now secure but
Dialogue: 0,0:12:33.71,0:12:37.64,Default,,0000,0000,0000,,they hit the same issues right and\Nbrowsers and so they were falling back to
Dialogue: 0,0:12:37.64,0:12:42.53,Default,,0000,0000,0000,,HTTP and so on and so on. So it's really\Nreally difficult. Now that we have this
Dialogue: 0,0:12:42.53,0:12:47.92,Default,,0000,0000,0000,,out of the way. Okay. We tried to look at\Nthe interesting interesting box and before
Dialogue: 0,0:12:47.92,0:12:53.58,Default,,0000,0000,0000,,we start I want to make a short\Nintroduction into how the cryptography in
Dialogue: 0,0:12:53.58,0:12:59.61,Default,,0000,0000,0000,,S/MIME and PGP work. And I just make one\Nintroduction because both are the same
Dialogue: 0,0:12:59.61,0:13:03.00,Default,,0000,0000,0000,,from the viewpoint of the attacks that I'm\Ngoing to present. Okay. Both are very
Dialogue: 0,0:13:03.00,0:13:08.77,Default,,0000,0000,0000,,similar actually. So we start off by\Nwriting a message, m, this is here we
Dialogue: 0,0:13:08.77,0:13:13.76,Default,,0000,0000,0000,,generate a session key, s, that that's\Nbasically a random session key and we use
Dialogue: 0,0:13:13.76,0:13:19.78,Default,,0000,0000,0000,,this session key to encrypt the message\Nand make a cipher text, c, and we use AES
Dialogue: 0,0:13:19.78,0:13:26.39,Default,,0000,0000,0000,,or triple DES for example any symmetric\Ncipher will do here.
Dialogue: 0,0:13:26.39,0:13:31.91,Default,,0000,0000,0000,,Then we use this session key that we just\Ngenerated and encrypt this with a public
Dialogue: 0,0:13:31.91,0:13:37.16,Default,,0000,0000,0000,,key of the recipient and we get a K and we\Npack this K into the message so everything
Dialogue: 0,0:13:37.16,0:13:43.04,Default,,0000,0000,0000,,will be packed into a message and sent off\Nto the receiver. The receiver then
Dialogue: 0,0:13:43.04,0:13:49.05,Default,,0000,0000,0000,,obtains the encrypted email he starts\Nextracting the ciphertext K and the
Dialogue: 0,0:13:49.05,0:13:56.49,Default,,0000,0000,0000,,ciphertext C. From K he decrypts s which is\Nthe session key, right? And with s he can
Dialogue: 0,0:13:56.49,0:14:02.58,Default,,0000,0000,0000,,decrypt the ciphertext C and retrieves m.\NAnd so both have the same message. Okay.
Dialogue: 0,0:14:02.58,0:14:06.67,Default,,0000,0000,0000,,So it's basically a hybrid encryption you\Nuse symmetric encryption for the actual
Dialogue: 0,0:14:06.67,0:14:11.74,Default,,0000,0000,0000,,encryption off the message and then\Nasymmetric encryption to just encrypt this
Dialogue: 0,0:14:11.74,0:14:17.87,Default,,0000,0000,0000,,session key. Now, if you attended my\Nprevious talks I talk a lot about
Dialogue: 0,0:14:17.87,0:14:23.94,Default,,0000,0000,0000,,ciphertext malleability. So you make tiny\Nchanges to a cipher text and it will lead
Dialogue: 0,0:14:23.94,0:14:28.59,Default,,0000,0000,0000,,to predictable changes in the plaintext\Nwhich is strange, right? So we would
Dialogue: 0,0:14:28.59,0:14:33.53,Default,,0000,0000,0000,,assume when we just flip a bit here\Nsomewhere, okay? Here's a bit that just
Dialogue: 0,0:14:33.53,0:14:37.47,Default,,0000,0000,0000,,flipped and where we decrypted we get\Nsomething like this. Usually you would
Dialogue: 0,0:14:37.47,0:14:42.86,Default,,0000,0000,0000,,think OK. It's total garbage. Nothing\Nsensible should come out of
Dialogue: 0,0:14:42.86,0:14:47.12,Default,,0000,0000,0000,,this but we see something like this. Most\Nof the message is still intact. We just
Dialogue: 0,0:14:47.12,0:14:54.92,Default,,0000,0000,0000,,have a few randomly looking junk binary\Nstuff in there and we see one changed
Dialogue: 0,0:14:54.92,0:14:59.85,Default,,0000,0000,0000,,character here. That used to be "email"\Nand now it's "efail". Okay so there was
Dialogue: 0,0:14:59.85,0:15:04.24,Default,,0000,0000,0000,,just some bit flipping happening here. In\Norder to understand this we need to
Dialogue: 0,0:15:04.24,0:15:08.99,Default,,0000,0000,0000,,introduce something that we called a mode\Nof operation. AES or any other block
Dialogue: 0,0:15:08.99,0:15:14.91,Default,,0000,0000,0000,,cipher has the property that it uses\Nblocks. In most cases it's 16 bytes.
Dialogue: 0,0:15:14.91,0:15:20.52,Default,,0000,0000,0000,,And when you want to encrypt more than 16\Nbytes you need to call AES multiple times
Dialogue: 0,0:15:20.52,0:15:25.47,Default,,0000,0000,0000,,and you split it into blocks and CBC is\None way of connecting these ciphertext
Dialogue: 0,0:15:25.47,0:15:30.58,Default,,0000,0000,0000,,blocks so the decryption works like this.\NYou have the first ciphertext block the
Dialogue: 0,0:15:30.58,0:15:36.84,Default,,0000,0000,0000,,second ciphertext block and the third\Nciphertext block. Only the second one is
Dialogue: 0,0:15:36.84,0:15:43.02,Default,,0000,0000,0000,,decrypted so C1 is decrypted using AES and\Nyour key for example. And the result here
Dialogue: 0,0:15:43.02,0:15:50.00,Default,,0000,0000,0000,,is not directly the plaintext but it will\Nbe XORed with C0 which will we would also
Dialogue: 0,0:15:50.00,0:15:55.47,Default,,0000,0000,0000,,call an initialization vector. Okay so\Nwhatever is written in here will be XORed
Dialogue: 0,0:15:55.47,0:16:00.55,Default,,0000,0000,0000,,on whatever comes out of this description\Nand we get this plaintext here. Now when
Dialogue: 0,0:16:00.55,0:16:06.97,Default,,0000,0000,0000,,we flip a bit or when we change a certain\Nbyte in C0 we change whatever comes out
Dialogue: 0,0:16:06.97,0:16:11.93,Default,,0000,0000,0000,,here of the decryption and we will\Nflip the same bit at the same position in
Dialogue: 0,0:16:11.93,0:16:18.89,Default,,0000,0000,0000,,the plaintext which is interesting because\Nnow when we say we use the original c0 and
Dialogue: 0,0:16:18.89,0:16:27.41,Default,,0000,0000,0000,,XOR it with p0. So when we XOR it when we\NXOR two times the same value we get
Dialogue: 0,0:16:27.41,0:16:33.87,Default,,0000,0000,0000,,basically a block of all zeros which is\Nlike a blank sheet of paper that we can
Dialogue: 0,0:16:33.87,0:16:38.57,Default,,0000,0000,0000,,write on and we call this thing - these two\Nblocks here in combination - we call this a
Dialogue: 0,0:16:38.57,0:16:45.06,Default,,0000,0000,0000,,CBC gadget because we can reuse it as as\Nmuch as we want. And when we now take a
Dialogue: 0,0:16:45.06,0:16:51.19,Default,,0000,0000,0000,,chosen ciphertext the nice thing is here\Nwe just XOR it - the chosen ciphertext on
Dialogue: 0,0:16:51.19,0:16:55.73,Default,,0000,0000,0000,,this initialization vector and it means\Nthat it will here result in a chosen
Dialogue: 0,0:16:55.73,0:17:00.64,Default,,0000,0000,0000,,ciphertext.\NSo this requires that we know the value of
Dialogue: 0,0:17:00.64,0:17:06.87,Default,,0000,0000,0000,,p0. We need to guess this value of p0. And\Nthis is always true at least for S/MIME
Dialogue: 0,0:17:06.87,0:17:11.77,Default,,0000,0000,0000,,because all S/MIME emails start with a\Ncontent type so we always know the first
Dialogue: 0,0:17:11.77,0:17:18.55,Default,,0000,0000,0000,,bytes. So this is valid. We can do this\Nnow. This was like the perfect
Dialogue: 0,0:17:18.55,0:17:23.95,Default,,0000,0000,0000,,scenario. It does have some drawbacks\Nbecause when we tried to do the same for
Dialogue: 0,0:17:23.95,0:17:30.08,Default,,0000,0000,0000,,C1 we switch, we flip, a bit here then we\Nflip a bit also here. But the decryption
Dialogue: 0,0:17:30.08,0:17:35.36,Default,,0000,0000,0000,,of C1 results in this random junk and we\Ncan't do anything about it. We don't know
Dialogue: 0,0:17:35.36,0:17:39.89,Default,,0000,0000,0000,,whatever will come out here and we can't\Ncontrol it. Okay we just have to deal with
Dialogue: 0,0:17:39.89,0:17:44.30,Default,,0000,0000,0000,,it. It's gonna be there when we use the\NCBC gadgets and we have to deal with it.
Dialogue: 0,0:17:44.30,0:17:49.48,Default,,0000,0000,0000,,We have to find a way to deal with it and\Nnow we can explain this behavior, you know?
Dialogue: 0,0:17:49.48,0:17:53.80,Default,,0000,0000,0000,,You remember this e-mail where we just\Nflipped a single bit and we saw one block
Dialogue: 0,0:17:53.80,0:17:58.95,Default,,0000,0000,0000,,was destroyed basically. And then the\Nother block we had like we can flip
Dialogue: 0,0:17:58.95,0:18:04.41,Default,,0000,0000,0000,,arbitrary bits. That's the explanation\Nfor it. Now how do you how do
Dialogue: 0,0:18:04.41,0:18:09.09,Default,,0000,0000,0000,,you deal with it. How should a proper\Ncrypto protocol deal with it. Usually you
Dialogue: 0,0:18:09.09,0:18:13.17,Default,,0000,0000,0000,,do something that is called a message\Nauthentication code. It's not a digital
Dialogue: 0,0:18:13.17,0:18:19.01,Default,,0000,0000,0000,,signature and message authentication code\Nis something like a checksum a
Dialogue: 0,0:18:19.01,0:18:24.24,Default,,0000,0000,0000,,cryptographic checksum that is \Nput right next to the
Dialogue: 0,0:18:24.24,0:18:28.17,Default,,0000,0000,0000,,encrypted message and that can be\Nchecked after decryption or for
Dialogue: 0,0:18:28.17,0:18:31.16,Default,,0000,0000,0000,,decryption. OK? The message\Nauthentication code is solely there to
Dialogue: 0,0:18:31.16,0:18:36.48,Default,,0000,0000,0000,,detect changes of a ciphertext. Digital\Nsignatures are different especially in the
Dialogue: 0,0:18:36.48,0:18:40.84,Default,,0000,0000,0000,,mail context because they're pretty\Nmuch totally separate from
Dialogue: 0,0:18:40.84,0:18:47.46,Default,,0000,0000,0000,,the decryption part. So digital signatures\Nare merely only used to display an icon
Dialogue: 0,0:18:47.46,0:18:55.71,Default,,0000,0000,0000,,for example for valid signature or invalid\Nsignature. And the problem here is a smart
Dialogue: 0,0:18:55.71,0:19:01.09,Default,,0000,0000,0000,,attacker can use a signed email and strip\Noff the signature. Okay. We just strip off
Dialogue: 0,0:19:01.09,0:19:06.26,Default,,0000,0000,0000,,this part that we know there's a signature\Nwe can remove the signature and then this
Dialogue: 0,0:19:06.26,0:19:09.98,Default,,0000,0000,0000,,doesn't mean there will be an invalid\Nsignature but will get something like
Dialogue: 0,0:19:09.98,0:19:15.77,Default,,0000,0000,0000,,this. This is the icon in thunderbird for\Nencrypted and not signed so we can simply
Dialogue: 0,0:19:15.77,0:19:21.97,Default,,0000,0000,0000,,strip off a signature and there's valid\Nreasons to send an encrypted email without
Dialogue: 0,0:19:21.97,0:19:27.72,Default,,0000,0000,0000,,doing a digital signature on it, right? So\Nwe want to do both. So digital
Dialogue: 0,0:19:27.72,0:19:34.08,Default,,0000,0000,0000,,signatures won't prevent this\Nattack. So how does S/MIME look like?
Dialogue: 0,0:19:34.08,0:19:39.17,Default,,0000,0000,0000,,Basically, I mean, most of you will have\Nheard of MIME. MIME is like a standard
Dialogue: 0,0:19:39.17,0:19:45.31,Default,,0000,0000,0000,,that we use in emails anyway. Here\Nwe have an e-mail header. It looks very
Dialogue: 0,0:19:45.31,0:19:50.60,Default,,0000,0000,0000,,similar to HTTP. We have content type,\Ncolon, empty space, and then it's
Dialogue: 0,0:19:50.60,0:19:56.64,Default,,0000,0000,0000,,whatever is coming now for data. And then\Nwe have an e-mail body with envelope data
Dialogue: 0,0:19:56.64,0:20:01.04,Default,,0000,0000,0000,,and there we have the list of the of the\Nencrypted session keys that this
Dialogue: 0,0:20:01.04,0:20:08.04,Default,,0000,0000,0000,,ciphertext was encrypted with. And after\Nthat we have the encrypted content info
Dialogue: 0,0:20:08.04,0:20:12.58,Default,,0000,0000,0000,,here. This part is the encrypted part\Nwhere the actual message where the actual
Dialogue: 0,0:20:12.58,0:20:17.49,Default,,0000,0000,0000,,message lies. And now when you look\Nclosely and you squint you see there's no
Dialogue: 0,0:20:17.49,0:20:22.54,Default,,0000,0000,0000,,message authentication code and it's not\Nbecause I left them out but because S/MIME
Dialogue: 0,0:20:22.54,0:20:26.67,Default,,0000,0000,0000,,doesn't define one. So S/MIME doesn't have\Na message authentication code which
Dialogue: 0,0:20:26.67,0:20:33.04,Default,,0000,0000,0000,,means it cannot detect bye the standard\Nwhether a message was changed - whether
Dialogue: 0,0:20:33.04,0:20:36.78,Default,,0000,0000,0000,,it was changed or not.\NSo how can we attack this?
Dialogue: 0,0:20:36.78,0:20:41.59,Default,,0000,0000,0000,,How can we use it? I think you all have a\Nfeeling that this shouldn't work, OK? This
Dialogue: 0,0:20:41.59,0:20:46.95,Default,,0000,0000,0000,,is nothing that is supposed to work.\NThis is the plain text that we want to
Dialogue: 0,0:20:46.95,0:20:51.21,Default,,0000,0000,0000,,exfiltrate and we only know the first\Nblock. We can pretty much always guess the
Dialogue: 0,0:20:51.21,0:20:56.38,Default,,0000,0000,0000,,first block because it's always content\Ntype: text/html or text/plain something
Dialogue: 0,0:20:56.38,0:21:03.96,Default,,0000,0000,0000,,like this. Now we can use this as a gadget\Nhere and write our arbitrary plain text.
Dialogue: 0,0:21:03.96,0:21:08.33,Default,,0000,0000,0000,,We have a random block and then chosen\Nplain text. Then we copy it again. We
Dialogue: 0,0:21:08.33,0:21:12.78,Default,,0000,0000,0000,,again have a random block and some chosen\Nplain text. Then we have a random block
Dialogue: 0,0:21:12.78,0:21:17.05,Default,,0000,0000,0000,,and a chosen plain text. Then we have a\Nrandom block and a chosen plain text. Then
Dialogue: 0,0:21:17.05,0:21:23.78,Default,,0000,0000,0000,,we copy here the original ciphertext and\Nwe close this thing. And when you look
Dialogue: 0,0:21:23.78,0:21:28.12,Default,,0000,0000,0000,,closely again you'll see that we're\Nbuilding HTML here right. That's the base
Dialogue: 0,0:21:28.12,0:21:33.92,Default,,0000,0000,0000,,tag. That's an image tag. It uses a URL.\NThat is not closed here. It will be closed
Dialogue: 0,0:21:33.92,0:21:40.49,Default,,0000,0000,0000,,down here. And this is effectively the\NURL. OK. A URL-path and will thus be
Dialogue: 0,0:21:40.49,0:21:45.20,Default,,0000,0000,0000,,exfiltrated. So when this XML is\Ninterpreted the actual plain text is sent
Dialogue: 0,0:21:45.20,0:21:51.75,Default,,0000,0000,0000,,to the server. And here we have an old\NThunderbird. So that is a version of
Dialogue: 0,0:21:51.75,0:21:58.10,Default,,0000,0000,0000,,before May and before we did the\Ndisclosure. We first compose a message
Dialogue: 0,0:21:58.10,0:22:03.42,Default,,0000,0000,0000,,just to have some PGP ciphertext. This is\Na very secret message. And here we have
Dialogue: 0,0:22:03.42,0:22:09.85,Default,,0000,0000,0000,,the attack e-mail that is already\Nprepared. And now it asks us
Dialogue: 0,0:22:09.85,0:22:13.82,Default,,0000,0000,0000,,"This remote content in here. What do you\Nwant to do?" And we just for the
Dialogue: 0,0:22:13.82,0:22:19.37,Default,,0000,0000,0000,,laughs just - like this - we just click it\Nand we see always now when we select the
Dialogue: 0,0:22:19.37,0:22:27.32,Default,,0000,0000,0000,,message an HTTP request is done to this\Nto this URL. And when we decode this - it
Dialogue: 0,0:22:27.32,0:22:32.33,Default,,0000,0000,0000,,looks pretty - it's encoded. But basically\Nwhat we have here now you see here is the
Dialogue: 0,0:22:32.33,0:22:37.37,Default,,0000,0000,0000,,secret message and here is random junk.\NAnd here again is random junk, right? So
Dialogue: 0,0:22:37.37,0:22:43.40,Default,,0000,0000,0000,,it was successfully exfiltrated. This was\Nthe first proof of concept that we had.
Dialogue: 0,0:22:43.40,0:22:50.54,Default,,0000,0000,0000,,Right? And. Okay right? And so this works.\NThis is like - this
Dialogue: 0,0:22:50.54,0:22:54.90,Default,,0000,0000,0000,,dialog here that you get in Thunderbird\Nthat ask if should I should a load remote
Dialogue: 0,0:22:54.90,0:22:59.58,Default,,0000,0000,0000,,images. Yes or no. This is basically\Neverything that is keeping you from losing
Dialogue: 0,0:22:59.58,0:23:06.40,Default,,0000,0000,0000,,your your PGP or S/MIME ciphertext - S/MIME\Nwe're talking about S/MIME here. Now what we
Dialogue: 0,0:23:06.40,0:23:11.65,Default,,0000,0000,0000,,did next was we were asking ourselves, OK:\NIt works with remote images. We understand
Dialogue: 0,0:23:11.65,0:23:16.20,Default,,0000,0000,0000,,this ,but what other back channels do we\Nhave? Back channel is something where
Dialogue: 0,0:23:16.20,0:23:20.69,Default,,0000,0000,0000,,your email client is communicating\Nover the network. That's. So it's not
Dialogue: 0,0:23:20.69,0:23:26.46,Default,,0000,0000,0000,,necessarily exfiltrating but it's just\Nlike how can we convince a client to make
Dialogue: 0,0:23:26.46,0:23:33.15,Default,,0000,0000,0000,,a connection to somewhere else. Now I\Ncolored in red all the e-mail clients that
Dialogue: 0,0:23:33.15,0:23:37.94,Default,,0000,0000,0000,,require user interaction - that always\Nrequire user interaction before it
Dialogue: 0,0:23:37.94,0:23:44.60,Default,,0000,0000,0000,,opens up a network connection somewhere.\NIn orange we say that there's no user
Dialogue: 0,0:23:44.60,0:23:49.84,Default,,0000,0000,0000,,interaction. So these are the clients that\Nallow for example loading remote images by
Dialogue: 0,0:23:49.84,0:23:54.47,Default,,0000,0000,0000,,default. OK. There's mail app for example\Nthere's gmail for example. They will not
Dialogue: 0,0:23:54.47,0:24:00.47,Default,,0000,0000,0000,,ask you they will just load it, OK? And\Nbut what we think is worse and therefore
Dialogue: 0,0:24:00.47,0:24:06.00,Default,,0000,0000,0000,,we colored it red are the clients that say\Nwe won't load remote images or any other
Dialogue: 0,0:24:06.00,0:24:11.65,Default,,0000,0000,0000,,way of communicating over the network. But\Nthen they will because we want bypasses.
Dialogue: 0,0:24:11.65,0:24:16.71,Default,,0000,0000,0000,,So because preventing loading remote\Nimages is basically a firewall and we
Dialogue: 0,0:24:16.71,0:24:23.21,Default,,0000,0000,0000,,bypass this local firewall and found\Nseveral ways of extracting it. And there's
Dialogue: 0,0:24:23.21,0:24:27.55,Default,,0000,0000,0000,,even four or five of them that even allow\NJavaScript execution in a mail
Dialogue: 0,0:24:27.55,0:24:32.99,Default,,0000,0000,0000,,client. I mean come on this is really\Nweird. So basically 40 of 47 clients have
Dialogue: 0,0:24:32.99,0:24:37.15,Default,,0000,0000,0000,,back channels that require no user\Ninteraction at all. And now we went out
Dialogue: 0,0:24:37.15,0:24:42.75,Default,,0000,0000,0000,,and tried to think about how can we\Nexfiltrate plain text over it. And this
Dialogue: 0,0:24:42.75,0:24:48.81,Default,,0000,0000,0000,,is the final table the final result\Ntable for S/MIME and it looks pretty
Dialogue: 0,0:24:48.81,0:24:54.26,Default,,0000,0000,0000,,grim, right? So the red ones means it's\Nvulnerable. That means we could exfiltrate
Dialogue: 0,0:24:54.26,0:24:59.54,Default,,0000,0000,0000,,plain text successfully. The ones with a\Ndash they don't support S/MIME and Claws
Dialogue: 0,0:24:59.54,0:25:04.05,Default,,0000,0000,0000,,and Mutt we just didn't find any \Nremote connection there.
Dialogue: 0,0:25:04.05,0:25:08.46,Default,,0000,0000,0000,,Okay. Which is good. Which is good. Yeah.\NThat's a round of applause. Right.
Dialogue: 0,0:25:08.46,0:25:12.66,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:25:12.66,0:25:17.50,Default,,0000,0000,0000,,So I didn't say what S in S/MIME means.\NIt actually means super. So it's super
Dialogue: 0,0:25:17.50,0:25:23.27,Default,,0000,0000,0000,,MIME. I don't know. Is it Super MIME? And\Nbasically his kryptonite. You know the the
Dialogue: 0,0:25:23.27,0:25:28.71,Default,,0000,0000,0000,,super villan of Super MIME is HTML. Right.\NYou could say this. So S/MIME is broken
Dialogue: 0,0:25:28.71,0:25:34.07,Default,,0000,0000,0000,,by HTML and it's a very annoying \Nkryptonite because it jumps you
Dialogue: 0,0:25:34.07,0:25:41.56,Default,,0000,0000,0000,,know like it's ugly colors. Now this is my\NThunderbird that I have on my Mac at home.
Dialogue: 0,0:25:41.56,0:25:46.09,Default,,0000,0000,0000,,So this is like something that I recorded\Ntwo days ago or so. And here I want to try
Dialogue: 0,0:25:46.09,0:25:52.94,Default,,0000,0000,0000,,to show you a way of exfiltrading the data\Nwithout using HTML. So HTML here is
Dialogue: 0,0:25:52.94,0:25:59.03,Default,,0000,0000,0000,,disabled. This is the message that we want\Nto break. And here we see the same message
Dialogue: 0,0:25:59.03,0:26:03.77,Default,,0000,0000,0000,,where we just changed, using\Ngadgeting, we just changed the URL.
Dialogue: 0,0:26:03.77,0:26:10.21,Default,,0000,0000,0000,,So in Thunderbird when you disable HTML\Nit will still highlight the links and when
Dialogue: 0,0:26:10.21,0:26:17.36,Default,,0000,0000,0000,,you click on it you're gonna exfiltrate\Nplain text, right. So we require a little
Dialogue: 0,0:26:17.36,0:26:23.72,Default,,0000,0000,0000,,bit of user interaction but we can\Nbasically change a S/MIME ciphertext in a
Dialogue: 0,0:26:23.72,0:26:28.23,Default,,0000,0000,0000,,way that it will contain links and when\Nyou click a single link you will lose your
Dialogue: 0,0:26:28.23,0:26:34.00,Default,,0000,0000,0000,,your plain text. It's just a single click\Non it and the thing here is - I mean this
Dialogue: 0,0:26:34.00,0:26:38.40,Default,,0000,0000,0000,,is not a zero day in e-mail client, right?\NYou just can't do anything about it.
Dialogue: 0,0:26:38.40,0:26:45.92,Default,,0000,0000,0000,,That's the problem. Okay. So people said \Nokay so efail - just disable HTML and then
Dialogue: 0,0:26:45.92,0:26:51.60,Default,,0000,0000,0000,,you'll be fine. But the problem here is\Nbasically efail should work with any
Dialogue: 0,0:26:51.60,0:26:56.79,Default,,0000,0000,0000,,format that supports external connections.\NSo as soon as you have a file format for
Dialogue: 0,0:26:56.79,0:27:01.74,Default,,0000,0000,0000,,example that supports external connections\Nlike PDF here, right? This is a PDF. When
Dialogue: 0,0:27:01.74,0:27:05.87,Default,,0000,0000,0000,,you click on it it will warn you and will\Nsay "Do you really want to make a
Dialogue: 0,0:27:05.87,0:27:12.17,Default,,0000,0000,0000,,connection to this domain?" And if you\Nclick "yes" you will do a connection there,
Dialogue: 0,0:27:12.17,0:27:18.28,Default,,0000,0000,0000,,right? And when you look at the how\Nthe URL is encoded in the PDF when you
Dialogue: 0,0:27:18.28,0:27:23.09,Default,,0000,0000,0000,,open the PDF in an hex editor you see it's\Njust a string just like HTML,
Dialogue: 0,0:27:23.09,0:27:27.72,Default,,0000,0000,0000,,basically, right? So we could in theory\Nuse this as well. So you could change and
Dialogue: 0,0:27:27.72,0:27:32.41,Default,,0000,0000,0000,,S/MIME e-mail that it contains a PDF\Nattachment and when you click the PDF
Dialogue: 0,0:27:32.41,0:27:37.03,Default,,0000,0000,0000,,attachment it will exfiltrate. With no\Nuser interaction, it works with with
Dialogue: 0,0:27:37.03,0:27:42.70,Default,,0000,0000,0000,,Microsoft Word for example. So that's a\Ndoc file and doc files allow external
Dialogue: 0,0:27:42.70,0:27:50.85,Default,,0000,0000,0000,,images that will load. It has no user\Ninteraction at all, so you just open it and
Dialogue: 0,0:27:50.85,0:27:55.06,Default,,0000,0000,0000,,the request will happen and the only\Nproblem that we're having here is it's not
Dialogue: 0,0:27:55.06,0:27:59.81,Default,,0000,0000,0000,,an ASCII URL, it's a Unicode URL. So I'm\Nnot sure whether this works with
Dialogue: 0,0:27:59.81,0:28:05.62,Default,,0000,0000,0000,,exfiltration but hey no user interaction,\Nright? And. Now you could say "Okay PDF,
Dialogue: 0,0:28:05.62,0:28:10.22,Default,,0000,0000,0000,,Microsoft Word. That's very bad." - The same\Nworks in in LibreOffice and it's not a
Dialogue: 0,0:28:10.22,0:28:19.51,Default,,0000,0000,0000,,bug in the viewers, right? It's a basic\Nfeature that has been in these standards
Dialogue: 0,0:28:19.51,0:28:23.15,Default,,0000,0000,0000,,forever, right? So it's a thing that will\Nbe supported. It's not a zero day
Dialogue: 0,0:28:23.15,0:28:28.35,Default,,0000,0000,0000,,vulnerability in these viewers. It's just\Nthe file format support it, so you can
Dialogue: 0,0:28:28.35,0:28:34.00,Default,,0000,0000,0000,,abuse it. If you have some time: here's a\Nchallenge for you. If someone is able to
Dialogue: 0,0:28:34.00,0:28:42.78,Default,,0000,0000,0000,,make a successful demo for exfiltrating an\NS/MIME e-mail using a PDF or a doc file for
Dialogue: 0,0:28:42.78,0:28:49.01,Default,,0000,0000,0000,,example you will get a crate of Club Mate\Nand some efail swag, if you want to?
Dialogue: 0,0:28:49.01,0:28:56.15,Default,,0000,0000,0000,,OK. So what happened after we disclosed\Nit. Obviously we disclosed it to all the
Dialogue: 0,0:28:56.15,0:29:00.78,Default,,0000,0000,0000,,manufacturers and so on. And there's an\NS/MIME draft of a new RFC. So there's a
Dialogue: 0,0:29:00.78,0:29:05.30,Default,,0000,0000,0000,,working group and they already\Nmassaged the countermeasures into the
Dialogue: 0,0:29:05.30,0:29:11.11,Default,,0000,0000,0000,,current RFC draft. So for example to\Ncounter the CBC gadget attack they say: use
Dialogue: 0,0:29:11.11,0:29:19.90,Default,,0000,0000,0000,,a GCM which is not right now in the in the\Ncurrent RFC but in a draft it's already in.
Dialogue: 0,0:29:19.90,0:29:22.14,Default,,0000,0000,0000,,And so they're referencing\Nthe paper and they're saying:
Dialogue: 0,0:29:22.14,0:29:26.70,Default,,0000,0000,0000,,"OK you need to do this and do this as\Nquickly as possible." And the second Efail
Dialogue: 0,0:29:26.70,0:29:32.82,Default,,0000,0000,0000,,attack which I'll talk about very soon is\Nalso mitigated in this in this RFC draft.
Dialogue: 0,0:29:32.82,0:29:39.03,Default,,0000,0000,0000,,OK. So S/MIME was pretty much broken. And\Nyou can just try to convince your e-mail
Dialogue: 0,0:29:39.03,0:29:45.79,Default,,0000,0000,0000,,client not to do any external connections.\NOK. That's all you have. Which at least,
Dialogue: 0,0:29:45.79,0:29:51.72,Default,,0000,0000,0000,,I mean, for cryptographer this means\Nbroken, OK? When you have to rely
Dialogue: 0,0:29:51.72,0:29:56.43,Default,,0000,0000,0000,,on the viewer not making any connections,\Nthe cryptography is broken. So what are
Dialogue: 0,0:29:56.43,0:30:02.31,Default,,0000,0000,0000,,the changes to OpenPGP because there are\Nsubstantial differences to to OpenPGP.
Dialogue: 0,0:30:02.31,0:30:08.57,Default,,0000,0000,0000,,So first of all PGP uses a variation of the\NCFB-mode. It's not CBC-mode but CFB-mode.
Dialogue: 0,0:30:08.57,0:30:15.24,Default,,0000,0000,0000,,And they have pretty similar, they are\Nvery similar. So I won't show it here,
Dialogue: 0,0:30:15.24,0:30:19.86,Default,,0000,0000,0000,,if you are looking for the details, please\Nlook at the paper, but it's very similar.
Dialogue: 0,0:30:19.86,0:30:25.11,Default,,0000,0000,0000,,We can also flip bits and we also have\Nthese chunk bits in the middle and so on.
Dialogue: 0,0:30:25.11,0:30:29.59,Default,,0000,0000,0000,,What really caused a lot of headaches is\Nthe plain text compression. So that means
Dialogue: 0,0:30:29.59,0:30:37.58,Default,,0000,0000,0000,,in OpenPGP you don't encrypt directly the\Nplain text but you deflate it
Dialogue: 0,0:30:37.58,0:30:42.01,Default,,0000,0000,0000,,before you encrypt it and that makes it\Nvery hard to guess plain text bytes, because
Dialogue: 0,0:30:42.01,0:30:47.34,Default,,0000,0000,0000,,for our attack to work we need to guess plain\Ntext bytes and when we know plain text
Dialogue: 0,0:30:47.34,0:30:52.99,Default,,0000,0000,0000,,certain parts of the plain text but it's\Ndeflated we have a problem. Okay? And what
Dialogue: 0,0:30:52.99,0:30:57.52,Default,,0000,0000,0000,,is also the most important thing is that\NOpenPGP defines a modification
Dialogue: 0,0:30:57.52,0:31:02.34,Default,,0000,0000,0000,,detection code, which is basically this is\Nthe message here. And the modification
Dialogue: 0,0:31:02.34,0:31:07.90,Default,,0000,0000,0000,,detection code is a hash of the message\Nappended at the plain text and
Dialogue: 0,0:31:07.90,0:31:17.92,Default,,0000,0000,0000,,then encrypted. Okay? Which should detect\Nplain text modifications. Now
Dialogue: 0,0:31:17.92,0:31:25.19,Default,,0000,0000,0000,,how does the OpenPGP standard say how to\Ndeal with broken MDCs when an MDC is not
Dialogue: 0,0:31:25.19,0:31:29.32,Default,,0000,0000,0000,,valid. Well, they say an implementation\Nmust treat an MDC failure as a security
Dialogue: 0,0:31:29.32,0:31:34.47,Default,,0000,0000,0000,,problem, but they don't say what is a\Nsecurity problem. What do you need to do
Dialogue: 0,0:31:34.47,0:31:39.75,Default,,0000,0000,0000,,then. And the implementation may allow the\Nuser access to the erroneous data. So the
Dialogue: 0,0:31:39.75,0:31:44.05,Default,,0000,0000,0000,,modified data may be passed on to the\Ne-mail clients.
Dialogue: 0,0:31:44.05,0:31:49.84,Default,,0000,0000,0000,,And basically we tried to do this, right?\NBut before we go there we looked at how
Dialogue: 0,0:31:49.84,0:31:53.73,Default,,0000,0000,0000,,many keys on the public key servers\Nsupport MDCs at all.
Dialogue: 0,0:31:53.73,0:32:01.01,Default,,0000,0000,0000,,So MDC is a feature that came to OpenPGP\Nin the early 2000s and before that it
Dialogue: 0,0:32:01.01,0:32:05.39,Default,,0000,0000,0000,,wasn't possible to use it. And so\Ntherefore to make this to make the change
Dialogue: 0,0:32:05.39,0:32:11.73,Default,,0000,0000,0000,,from software that doesn't use MDC versus\Nsoftware that that does use MDC they
Dialogue: 0,0:32:11.73,0:32:17.58,Default,,0000,0000,0000,,encoded in the key whether you support MDC\Nor not. And here you see those keys that
Dialogue: 0,0:32:17.58,0:32:22.00,Default,,0000,0000,0000,,were generated in 2000 they don't support\NMDCs and the green ones - they support
Dialogue: 0,0:32:22.00,0:32:30.71,Default,,0000,0000,0000,,it. But, the problem is, when you accumulate\Nall the valid keys in PGP that don't
Dialogue: 0,0:32:30.71,0:32:37.19,Default,,0000,0000,0000,,support MDCs we still see that at the key\Nservers right now in 2017 we have
Dialogue: 0,0:32:37.19,0:32:42.29,Default,,0000,0000,0000,,something like one point seven million of\Nthe keys that don't support MDC. So when I
Dialogue: 0,0:32:42.29,0:32:48.56,Default,,0000,0000,0000,,sent an email to one of these people my\Nimplementation will not use an MDC, or
Dialogue: 0,0:32:48.56,0:32:55.33,Default,,0000,0000,0000,,right? They - yeah I'll come to this later.\NSo we thought about okay how
Dialogue: 0,0:32:55.33,0:33:00.07,Default,,0000,0000,0000,,can we make a structured analysis how the\NMDC is treated with. The OpenPGP standard
Dialogue: 0,0:33:00.07,0:33:05.42,Default,,0000,0000,0000,,is not clear what to do with it. And so\Nwe have three test cases. First of all, we
Dialogue: 0,0:33:05.42,0:33:10.91,Default,,0000,0000,0000,,try to strip the MDC. So we just use this\Nencrypted packet here and strip off at the
Dialogue: 0,0:33:10.91,0:33:17.04,Default,,0000,0000,0000,,end. We just say OK it's incorrect, right?\NSo we make our modification in the
Dialogue: 0,0:33:17.04,0:33:24.08,Default,,0000,0000,0000,,plain text and see whether they will detect\Nthis error or we could also do this
Dialogue: 0,0:33:24.08,0:33:29.23,Default,,0000,0000,0000,,downgrade from the packet type that\Nsupports MDC to the old packet type that
Dialogue: 0,0:33:29.23,0:33:34.84,Default,,0000,0000,0000,,does not support MDC, right? And when we\Ncheck this, especially with the most widely
Dialogue: 0,0:33:34.84,0:33:40.26,Default,,0000,0000,0000,,used clients we saw that Thunderbird and\NEnigmail and Apple Mail and GPG tools they
Dialogue: 0,0:33:40.26,0:33:46.07,Default,,0000,0000,0000,,basically ignored the MDC and that was the\Nreason why we didn't see the MDC as very
Dialogue: 0,0:33:46.07,0:33:51.67,Default,,0000,0000,0000,,important because in our test systems it\Nwasn't just treated, OK?
Dialogue: 0,0:33:51.67,0:33:57.70,Default,,0000,0000,0000,,Now what are the Efail related changes\Nto OpenPGP. And we're talking about the
Dialogue: 0,0:33:57.70,0:34:02.61,Default,,0000,0000,0000,,changes that were done after we\Ndisclosed this to them.
Dialogue: 0,0:34:02.61,0:34:05.64,Default,,0000,0000,0000,,First of all they made something that is\Nvery important.
Dialogue: 0,0:34:05.64,0:34:11.09,Default,,0000,0000,0000,,They say that the packet type and PGP that\Ndoes not support MDC is now obsolete. So
Dialogue: 0,0:34:11.09,0:34:16.22,Default,,0000,0000,0000,,you must not use this packet type anymore.\NYou must ignore it. Which also means that
Dialogue: 0,0:34:16.22,0:34:21.52,Default,,0000,0000,0000,,when you have used non MDC messages in\Nyour mailbox you will not be able to open
Dialogue: 0,0:34:21.52,0:34:28.34,Default,,0000,0000,0000,,them anymore, OK? Yeah. That's a\Nproblem. Then they also said: "OK, what
Dialogue: 0,0:34:28.34,0:34:33.86,Default,,0000,0000,0000,,is supposed to happen when the MDC\Nwas wrong?" And this is the text that we
Dialogue: 0,0:34:33.86,0:34:38.36,Default,,0000,0000,0000,,have already seen where we said "the\Nimplementation may allow the user access
Dialogue: 0,0:34:38.36,0:34:43.24,Default,,0000,0000,0000,,to the erroneous data" and they changed\Nthis in the current draft to "the
Dialogue: 0,0:34:43.24,0:34:48.28,Default,,0000,0000,0000,,implementation should not allow the user\Nto process the erroneous data." Right? They
Dialogue: 0,0:34:48.28,0:34:53.19,Default,,0000,0000,0000,,must still warn the user. And so on and so\Non. But it should not allow the user, which
Dialogue: 0,0:34:53.19,0:35:02.41,Default,,0000,0000,0000,,is good. That's a good change. So this was\Nthe - this MDC check is a bit troublesome
Dialogue: 0,0:35:02.41,0:35:08.45,Default,,0000,0000,0000,,because it's right at the end of the\Nplain text, so you can only check the MDC
Dialogue: 0,0:35:08.45,0:35:13.25,Default,,0000,0000,0000,,when you have fully decrypted the message\Nwhich means when you have a large e-mail
Dialogue: 0,0:35:13.25,0:35:18.51,Default,,0000,0000,0000,,or a large back-up or so you have to fully\Ndecrypt it and afterwards only you can tell
Dialogue: 0,0:35:18.51,0:35:24.43,Default,,0000,0000,0000,,whether it was valid or not. And the\Nsolution of GnuPG is that it will just
Dialogue: 0,0:35:24.43,0:35:30.62,Default,,0000,0000,0000,,stream - while it decrypts it will stream\Nthe data to to the e-mail client and
Dialogue: 0,0:35:30.62,0:35:34.70,Default,,0000,0000,0000,,afterwards tell it whether it's supposed\Nto use it or not, OK? So here's your
Dialogue: 0,0:35:34.70,0:35:39.89,Default,,0000,0000,0000,,email, here's your e-mail, here's your - Oh no!\NYou must not use it, please forget it, right?
Dialogue: 0,0:35:39.89,0:35:44.98,Default,,0000,0000,0000,,Which is not fine. This is not a safe way of\Ndoing it. So the current OpenPGP draft,
Dialogue: 0,0:35:44.98,0:35:48.69,Default,,0000,0000,0000,,before Efail, before we did the\Ndisclosure already supported something
Dialogue: 0,0:35:48.69,0:35:53.52,Default,,0000,0000,0000,,that they called chunking. So they not\Nonly have an MDC some kind of a MAC at the
Dialogue: 0,0:35:53.52,0:35:57.80,Default,,0000,0000,0000,,end of the plain text, but they chunk it\Ninto more chunks and each of these
Dialogue: 0,0:35:57.80,0:36:04.67,Default,,0000,0000,0000,,has a MAC - a real MAC - which is much better\Nbecause, right? You can authenticate chunks
Dialogue: 0,0:36:04.67,0:36:13.66,Default,,0000,0000,0000,,and cache it before you give it to the\Napp. The problem is that the standard says
Dialogue: 0,0:36:13.66,0:36:20.92,Default,,0000,0000,0000,,that 120MB is like a good chunk size\Nwhich is far too big, right? Far too big.
Dialogue: 0,0:36:20.92,0:36:26.37,Default,,0000,0000,0000,,And when we look at the Efail related\Nchanges to GnuPG. So for example MDCs
Dialogue: 0,0:36:26.37,0:36:31.54,Default,,0000,0000,0000,,where they used to be warnings. So when\NGnuPG was detecting that an MDC is not
Dialogue: 0,0:36:31.54,0:36:37.59,Default,,0000,0000,0000,,there or it's wrong, they would just warn\Nit but it would still print it out. GnuPG
Dialogue: 0,0:36:37.59,0:36:45.26,Default,,0000,0000,0000,,now, like, fails it makes a hard failure now\Nand GnuPG now always uses the MDC
Dialogue: 0,0:36:45.26,0:36:50.81,Default,,0000,0000,0000,,independently if the key denotes that\Nthe receiver can use it or not. Which
Dialogue: 0,0:36:50.81,0:36:54.65,Default,,0000,0000,0000,,is also very good but it is a breaking\Nchange, rightß So when you have people that
Dialogue: 0,0:36:54.65,0:36:58.29,Default,,0000,0000,0000,,send you PGP e-mails and you can't decrypt\Nthem anymore you have to tell them that
Dialogue: 0,0:36:58.29,0:37:05.63,Default,,0000,0000,0000,,they need to update GnuPG.\NThey also say that the default chunk size
Dialogue: 0,0:37:05.63,0:37:11.60,Default,,0000,0000,0000,,is 120 megabyte which means they still\Nstream unauthenticated plaintext so they
Dialogue: 0,0:37:11.60,0:37:17.96,Default,,0000,0000,0000,,missed this opportunity to make \Nthis go away, which is a pity.
Dialogue: 0,0:37:17.96,0:37:24.38,Default,,0000,0000,0000,,Okay. What is not answered neither by\NS/MIME nor by PGP: How to deal with past
Dialogue: 0,0:37:24.38,0:37:28.15,Default,,0000,0000,0000,,e-mails? So, basically all the emails that\Nyou're sending in S/MIME encrypted right
Dialogue: 0,0:37:28.15,0:37:34.69,Default,,0000,0000,0000,,now are insecure and the old ones that\Ndon't use MDC in PGP they are also not
Dialogue: 0,0:37:34.69,0:37:39.48,Default,,0000,0000,0000,,secure and nobody talks about what's \Nsupposed to happen with them, right?
Dialogue: 0,0:37:39.48,0:37:43.92,Default,,0000,0000,0000,,Okay, that was the interesting attack. That
Dialogue: 0,0:37:43.92,0:37:46.79,Default,,0000,0000,0000,,was the one that was really\Ncryptographically involving,
Dialogue: 0,0:37:46.79,0:37:51.13,Default,,0000,0000,0000,,that required changes to the standards and\Nso on. Now let's look at something that's
Dialogue: 0,0:37:51.13,0:37:56.79,Default,,0000,0000,0000,,a bit more silly. Okay, so we have Alice\Nwrites an e-mail to Bob, we encrypt it and
Dialogue: 0,0:37:56.79,0:38:02.73,Default,,0000,0000,0000,,send it off to Bob. Now here we have the\Noriginal e-mail and now Eve composes an
Dialogue: 0,0:38:02.73,0:38:08.68,Default,,0000,0000,0000,,attack e-mail. And it somehow gained access\Nto the PGP ciphertext, it also works for
Dialogue: 0,0:38:08.68,0:38:13.14,Default,,0000,0000,0000,,S/MIME, right, it's independent. It's a\Nvulnerability in the in the mail clients.
Dialogue: 0,0:38:13.14,0:38:18.35,Default,,0000,0000,0000,,And now we don't change the ciphertext we\Njust surround it with other MIME parts
Dialogue: 0,0:38:18.35,0:38:24.31,Default,,0000,0000,0000,,that are of type HTML and that exfiltrated\Nthe same as we did before only that we
Dialogue: 0,0:38:24.31,0:38:28.91,Default,,0000,0000,0000,,don't need to change the \Nciphertext at all, right?
Dialogue: 0,0:38:28.91,0:38:34.11,Default,,0000,0000,0000,,So basically when this is decrypted it\Nwill be replaced with a plain text in
Dialogue: 0,0:38:34.11,0:38:38.95,Default,,0000,0000,0000,,place and then it will be merged into one\Ndocument. And now I have to tell you
Dialogue: 0,0:38:38.95,0:38:44.84,Default,,0000,0000,0000,,something that many people don't seem to\Nknow. All mail clients, except mutt, they
Dialogue: 0,0:38:44.84,0:38:51.80,Default,,0000,0000,0000,,use HTML to view emails. So even when you\Ndisable HTML it basically means that they
Dialogue: 0,0:38:51.80,0:38:57.53,Default,,0000,0000,0000,,will use incoming HTML e-mails, parse\Nthem, transform them into something that
Dialogue: 0,0:38:57.53,0:39:04.45,Default,,0000,0000,0000,,looks like ASCII and display this in HTML.\NOkay. So, right? There is no such thing as
Dialogue: 0,0:39:04.45,0:39:10.44,Default,,0000,0000,0000,,ASCII e-mails with most of the clients. So\Nbut here now you have one HTML document
Dialogue: 0,0:39:10.44,0:39:15.99,Default,,0000,0000,0000,,which basically means the same, it will\Nexfiltrate and very easy. Okay? So let's
Dialogue: 0,0:39:15.99,0:39:22.40,Default,,0000,0000,0000,,look here and on this video here we have\Nwe create one ciphertext we encrypt it. We
Dialogue: 0,0:39:22.40,0:39:29.23,Default,,0000,0000,0000,,use Apple Mail because this was one of the\Ntwo vulnerable clients and we just open this
Dialogue: 0,0:39:29.23,0:39:36.63,Default,,0000,0000,0000,,email in order to view the PGP ciphertext,\Nright? We look at the raw code of the
Dialogue: 0,0:39:36.63,0:39:45.36,Default,,0000,0000,0000,,ciphertext, raw source and we scroll down\Nand there we see there's the PGP message,
Dialogue: 0,0:39:45.36,0:39:52.53,Default,,0000,0000,0000,,OK? Now in the next minute Eve somehow\Ngained access to this ciphertext and it
Dialogue: 0,0:39:52.53,0:40:01.31,Default,,0000,0000,0000,,will compose a attacker email which is\Nhidden in a python program that we just
Dialogue: 0,0:40:01.31,0:40:06.14,Default,,0000,0000,0000,,use to generate an e-mail, so this\Nhappened now in the background, you will
Dialogue: 0,0:40:06.14,0:40:13.91,Default,,0000,0000,0000,,see an e-mail is incoming. Here we\Njust open the access log for this and when
Dialogue: 0,0:40:13.91,0:40:20.69,Default,,0000,0000,0000,,we click on it, right at this time, it will\Nbe exfiltrated. Okay. So very easy attack,
Dialogue: 0,0:40:20.69,0:40:24.95,Default,,0000,0000,0000,,anyone can do this, you don't need to know\Nanything about cryptography you only need
Dialogue: 0,0:40:24.95,0:40:28.97,Default,,0000,0000,0000,,to understand a little bit of HTML and a\Nlittle bit of MIME and you can execute
Dialogue: 0,0:40:28.97,0:40:37.12,Default,,0000,0000,0000,,this. You know what's worse than this? How\Nabout we just exfiltrate many e-mails with
Dialogue: 0,0:40:37.12,0:40:42.05,Default,,0000,0000,0000,,a single attack e-mail because we could\Nbasically use - here we open an image,
Dialogue: 0,0:40:42.05,0:40:46.70,Default,,0000,0000,0000,,here's the ciphertext. Here would close\Nit. Then we open another image. Here's the
Dialogue: 0,0:40:46.70,0:40:51.68,Default,,0000,0000,0000,,second ciphertext. Then we close it. Then\Nwe open a third one and so on and so on.
Dialogue: 0,0:40:51.68,0:40:56.91,Default,,0000,0000,0000,,And what you see here, on the left hand\Nside you see there's 100 ciphertext packed
Dialogue: 0,0:40:56.91,0:41:02.63,Default,,0000,0000,0000,,into one e-mail that is sent to this\Nclient. I blurred this because I used 100
Dialogue: 0,0:41:02.63,0:41:08.80,Default,,0000,0000,0000,,GPG e-mails that I sent, right? I didn't\Nwant to show them to you. Now this takes
Dialogue: 0,0:41:08.80,0:41:13.05,Default,,0000,0000,0000,,some time. Now it's like decrypting,\Ndecrypting, decrypting, decrypting. And when
Dialogue: 0,0:41:13.05,0:41:17.58,Default,,0000,0000,0000,,you look at the terminal on the left side\Nyou see 100 e-mails getting exfiltated,
Dialogue: 0,0:41:17.58,0:41:23.60,Default,,0000,0000,0000,,right? Automatically simply by opening a\Nsingle email. Okay this is horrifying.
Dialogue: 0,0:41:23.60,0:41:30.70,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:41:30.70,0:41:34.84,Default,,0000,0000,0000,,And when I say horrifying I'm really\Nliterally mean: this is horrifying. So we
Dialogue: 0,0:41:34.84,0:41:40.10,Default,,0000,0000,0000,,were like afraid OK when we disclose this\Nthen people will start attacking this
Dialogue: 0,0:41:40.10,0:41:48.41,Default,,0000,0000,0000,,within the hour or so, OK? And so we\Ndisclosed this in early 2018. End of 2017,
Dialogue: 0,0:41:48.41,0:41:57.01,Default,,0000,0000,0000,,early 2018. And in May 2018 we had already\Nshifted the disclosure date twice and in
Dialogue: 0,0:41:57.01,0:42:01.68,Default,,0000,0000,0000,,May we said OK we won't shift this\Nanymore. And so therefore we said OK we go
Dialogue: 0,0:42:01.68,0:42:06.31,Default,,0000,0000,0000,,online but we want to make a\Npreannouncement. We want to
Dialogue: 0,0:42:06.31,0:42:11.69,Default,,0000,0000,0000,,warn the people that if you use \NPGP or S/MIME for very sensitive
Dialogue: 0,0:42:11.69,0:42:17.00,Default,,0000,0000,0000,,communication you should disable it in\Nyour e-mail client for now. These are the
Dialogue: 0,0:42:17.00,0:42:22.72,Default,,0000,0000,0000,,original tweets that we sent and we said: \NOK, In a day, OK, when you have done this
Dialogue: 0,0:42:22.72,0:42:27.05,Default,,0000,0000,0000,,then we will disclose everything, OK? We\Nwill go online with the paper and
Dialogue: 0,0:42:27.05,0:42:33.02,Default,,0000,0000,0000,,everything. And now I mean people started\Ntalking about it and then the GnuPG people
Dialogue: 0,0:42:33.02,0:42:37.95,Default,,0000,0000,0000,,started tweeting and they basically broke\Nthe embargo. So they told OK the attack is
Dialogue: 0,0:42:37.95,0:42:41.31,Default,,0000,0000,0000,,working like this. First you do this and\Nthen you do that and then you do that and
Dialogue: 0,0:42:41.31,0:42:45.16,Default,,0000,0000,0000,,they were blabbing and so on and then they\Nsent it, which is annoying, but then they
Dialogue: 0,0:42:45.16,0:42:49.78,Default,,0000,0000,0000,,sent this. So they said know that new\NGnuPG team was not contacted by them in
Dialogue: 0,0:42:49.78,0:42:55.70,Default,,0000,0000,0000,,advance. And this, this really, OK? Then\Nit got really hot. Okay.
Dialogue: 0,0:42:55.70,0:43:00.38,Default,,0000,0000,0000,,This is not true. I will show you later,\Nbut I mean this tipped off almost anyone
Dialogue: 0,0:43:00.38,0:43:06.16,Default,,0000,0000,0000,,in the INFOSEC community. And we got hate\Ne-mails and yeah people were really mad
Dialogue: 0,0:43:06.16,0:43:10.20,Default,,0000,0000,0000,,with them, I posted "We did contact them."\Nand this is like the, these are the
Dialogue: 0,0:43:10.20,0:43:13.82,Default,,0000,0000,0000,,original dates when I talked with Werner\NKoch which is the main developer of of
Dialogue: 0,0:43:13.82,0:43:18.15,Default,,0000,0000,0000,,GnuPG. But it was too late. I mean they\Nthey recognized that they said: "Oh yeah, oh
Dialogue: 0,0:43:18.15,0:43:25.38,Default,,0000,0000,0000,,I forgot!" Right? That they sent this paper\Nhere. That writes EFAIL with our names and
Dialogue: 0,0:43:25.38,0:43:31.43,Default,,0000,0000,0000,,a date and an embargo and so on and so on.\NAnd they said they forgot it, OK? But I
Dialogue: 0,0:43:31.43,0:43:37.18,Default,,0000,0000,0000,,mean we lost at this point, OK? People\Nwere hating us. I was called a murderer.
Dialogue: 0,0:43:37.18,0:43:41.29,Default,,0000,0000,0000,,And and so on and so on and so it was\Nreally, really weird. If you're interested
Dialogue: 0,0:43:41.29,0:43:45.15,Default,,0000,0000,0000,,of how things worked, right, this is an\Nindependent summary of the disclosure
Dialogue: 0,0:43:45.15,0:43:50.79,Default,,0000,0000,0000,,timeline from Thomas Ptacek which is not\Ninvolved with us at all we have never met
Dialogue: 0,0:43:50.79,0:43:55.19,Default,,0000,0000,0000,,him, but who was so kind to just compile\Nthis just from public information that are
Dialogue: 0,0:43:55.19,0:44:01.59,Default,,0000,0000,0000,,really reliable.\NSo and then something happened that
Dialogue: 0,0:44:01.59,0:44:07.32,Default,,0000,0000,0000,,we what we could foresee. People were\Nfinding - like there were some patches -
Dialogue: 0,0:44:07.32,0:44:12.13,Default,,0000,0000,0000,,and I told you already that we saw\Nthat these patches are not sufficient.
Dialogue: 0,0:44:12.13,0:44:18.63,Default,,0000,0000,0000,,And two days later people came up with new\Nstyle of attacks, new EFAIL attacks and
Dialogue: 0,0:44:18.63,0:44:23.04,Default,,0000,0000,0000,,this was Hanno who found something. So he\Nsaid I found a trivial bypass EFAIL is
Dialogue: 0,0:44:23.04,0:44:27.66,Default,,0000,0000,0000,,still exploitable with the latest Enigmail\Nand Thunderbird - that is three days after
Dialogue: 0,0:44:27.66,0:44:32.03,Default,,0000,0000,0000,,we did the disclosure and he responsibly\Ndisclosed this and so on and so on. So
Dialogue: 0,0:44:32.03,0:44:37.46,Default,,0000,0000,0000,,everything is fine. Micah Lee, from The\NIntercept, also developed a proof of
Dialogue: 0,0:44:37.46,0:44:43.08,Default,,0000,0000,0000,,concept exploit that works against Apple\NMail and GPG tools also 2 or 3 days later.
Dialogue: 0,0:44:43.08,0:44:48.03,Default,,0000,0000,0000,,So we were right, right? So people were\Nfinding ways to circumvent the fixes that
Dialogue: 0,0:44:48.03,0:44:54.78,Default,,0000,0000,0000,,were in there. But still I mean, OK, media\Nwas blowing up, OK? And we didn't actually
Dialogue: 0,0:44:54.78,0:45:01.85,Default,,0000,0000,0000,,understand what was really going on there.\NBut you have to know I mean PGP is like,
Dialogue: 0,0:45:01.85,0:45:07.21,Default,,0000,0000,0000,,one of the main users of PHP, eh of PGP is\Njournalists, right.
Dialogue: 0,0:45:07.21,0:45:11.13,Default,,0000,0000,0000,,So and they basically, I mean you show\Nit to them look that's the attack and they
Dialogue: 0,0:45:11.13,0:45:16.69,Default,,0000,0000,0000,,will like what? That's how easy it is? And\Nthat's what you see in the press I guess.
Dialogue: 0,0:45:16.69,0:45:23.05,Default,,0000,0000,0000,,So what are the lessons learned from the\Ndisclosure. So first of all: people kept
Dialogue: 0,0:45:23.05,0:45:27.12,Default,,0000,0000,0000,,complaining, I mean people kept\Ncomplaining to us that we didn't stick to
Dialogue: 0,0:45:27.12,0:45:32.31,Default,,0000,0000,0000,,the 90 day disclosure deadline. So\Nwe had more than 200 days disclosure and
Dialogue: 0,0:45:32.31,0:45:36.50,Default,,0000,0000,0000,,we postponed it and so on and so on. And\Nin the aftermath it didn't make sense
Dialogue: 0,0:45:36.50,0:45:40.68,Default,,0000,0000,0000,,because we were postponing and postponing\Nit and there were still no reliable fixes.
Dialogue: 0,0:45:40.68,0:45:43.91,Default,,0000,0000,0000,,So we should have stuck to the 90 day\Ndisclosure deadline because after we
Dialogue: 0,0:45:43.91,0:45:48.05,Default,,0000,0000,0000,,disclosed it they were in a rush. They\Nreleased patches and stuff like, you know?
Dialogue: 0,0:45:48.05,0:45:54.19,Default,,0000,0000,0000,,So it was, yeah. Be careful with\Ndisclosure preannouncements. The problem
Dialogue: 0,0:45:54.19,0:46:00.86,Default,,0000,0000,0000,,here is people will speculate about the\Ndetails. You know, because when you say: "OK
Dialogue: 0,0:46:00.86,0:46:04.65,Default,,0000,0000,0000,,we'll disclose something tomorrow but\Nwe're not going to speak today" - then
Dialogue: 0,0:46:04.65,0:46:08.84,Default,,0000,0000,0000,,journalists will speak to some random\Npeople, right? That they just get their
Dialogue: 0,0:46:08.84,0:46:14.39,Default,,0000,0000,0000,,hands on and they will just try to guess\Nwhat it could be. And this means they will
Dialogue: 0,0:46:14.39,0:46:19.70,Default,,0000,0000,0000,,underrate the risk or they will overrate\Nthe risk. Underrate the risk is just
Dialogue: 0,0:46:19.70,0:46:23.54,Default,,0000,0000,0000,,disable external images, loading external\Nimages, then you're fine. That is
Dialogue: 0,0:46:23.54,0:46:30.24,Default,,0000,0000,0000,,underrating and overrating is like: "OK, PGP\Nis broken, forever", right? Which is not
Dialogue: 0,0:46:30.24,0:46:34.51,Default,,0000,0000,0000,,the case. And they will spread this false\Ninformation and you still see this out
Dialogue: 0,0:46:34.51,0:46:40.63,Default,,0000,0000,0000,,there, right? It's documented. People have\Nissued like papers and so on and so on
Dialogue: 0,0:46:40.63,0:46:45.32,Default,,0000,0000,0000,,with wrong information, provably wrong\Ninformation. Which is bad and so these
Dialogue: 0,0:46:45.32,0:46:48.48,Default,,0000,0000,0000,,disclosure preannouncements are bad\Nbecause you're not in control of the
Dialogue: 0,0:46:48.48,0:46:53.04,Default,,0000,0000,0000,,communication anymore. That's very bad.\NAnd controlling information flow really is
Dialogue: 0,0:46:53.04,0:46:57.20,Default,,0000,0000,0000,,key after you do the disclosure because\Notherwise you get the wrong story out and
Dialogue: 0,0:46:57.20,0:47:05.81,Default,,0000,0000,0000,,this this doesn't help at all. Okay. Let's\Nlook at the last attack, and we call this
Dialogue: 0,0:47:05.81,0:47:10.30,Default,,0000,0000,0000,,reply to attacker.\NAnd I have to give credit to the people of
Dialogue: 0,0:47:10.30,0:47:16.73,Default,,0000,0000,0000,,Cure53, which also found this bug or a\Nsimilar very similar version of this bug
Dialogue: 0,0:47:16.73,0:47:20.86,Default,,0000,0000,0000,,as well and disclosed it. But they were\Nfirst to disclose it so credit goes to
Dialogue: 0,0:47:20.86,0:47:27.27,Default,,0000,0000,0000,,them, OK? Here, the attacker scenario is\NI get an e-mail from some person which
Dialogue: 0,0:47:27.27,0:47:32.28,Default,,0000,0000,0000,,makes sense. It's a benign e-mail. Okay.\NIt doesn't look bad at all. And a person
Dialogue: 0,0:47:32.28,0:47:37.05,Default,,0000,0000,0000,,wants to trick me to answer this e-mail.\NSo this is the e-mail that I get. There's
Dialogue: 0,0:47:37.05,0:47:42.94,Default,,0000,0000,0000,,some footer here and stuff like that. And\Nnow we look in the video, it's an old
Dialogue: 0,0:47:42.94,0:47:51.00,Default,,0000,0000,0000,,version of Mail that we use here. Right.\NThis is the e-mail. We just - and I answer
Dialogue: 0,0:47:51.00,0:47:54.64,Default,,0000,0000,0000,,it, right? Because people were asking\Nme for an appointment they want to
Dialogue: 0,0:47:54.64,0:47:58.73,Default,,0000,0000,0000,,meet me and I was like yeah sure after my\Ntalk let's just meet. And this is the
Dialogue: 0,0:47:58.73,0:48:05.00,Default,,0000,0000,0000,,attacker e-mail that the attackers opened\Nand when you look closely down here you'll
Dialogue: 0,0:48:05.00,0:48:10.79,Default,,0000,0000,0000,,see secret stuff here that shouldn't be in\Nthere and that I didn't send actually.
Dialogue: 0,0:48:10.79,0:48:17.19,Default,,0000,0000,0000,,Let's look at the plain text of this\Ne-mail and the source code of this e-mail.
Dialogue: 0,0:48:17.19,0:48:23.69,Default,,0000,0000,0000,,And when you scroll down you see it's a\Nmix of just a normal, just a normal
Dialogue: 0,0:48:23.69,0:48:28.33,Default,,0000,0000,0000,,e-mail, benign e-mail. And down here you\Nfind a ciphertext it can be S/MIME it can
Dialogue: 0,0:48:28.33,0:48:35.27,Default,,0000,0000,0000,,be PGP. It doesn't really matter. And\Nwhat's happening now is:
Dialogue: 0,0:48:35.27,0:48:39.70,Default,,0000,0000,0000,,I get this e-mail, this here will be\Ndecrypted from my mail client and I don't
Dialogue: 0,0:48:39.70,0:48:44.26,Default,,0000,0000,0000,,see it because I won't scroll down. I'm a\Nlazy person I'm a top poster. Right, now
Dialogue: 0,0:48:44.26,0:48:50.18,Default,,0000,0000,0000,,you can go boo and so on, OK. But still I\Nmean top posting is considered evil here.
Dialogue: 0,0:48:50.18,0:48:55.25,Default,,0000,0000,0000,,Because I basically - the attacker was\Nsending me an e-mail where ciphertext was
Dialogue: 0,0:48:55.25,0:48:59.94,Default,,0000,0000,0000,,hidden in there that my e-mail client was\Ndecrypting and I was replying to this
Dialogue: 0,0:48:59.94,0:49:04.20,Default,,0000,0000,0000,,e-mail sending the attacker the actual\Nplain text that I just decrypted, without
Dialogue: 0,0:49:04.20,0:49:10.53,Default,,0000,0000,0000,,knowing it. Okay that's silly. Okay. Come\Non. That's really silly. Okay. What are
Dialogue: 0,0:49:10.53,0:49:16.10,Default,,0000,0000,0000,,you supposed to do now. What are the\Nthings that you should do. And the
Dialogue: 0,0:49:16.10,0:49:20.83,Default,,0000,0000,0000,,important question here is you should ask\Nyourself are you targeted by motivated
Dialogue: 0,0:49:20.83,0:49:23.31,Default,,0000,0000,0000,,attackers?\NAnd a motivated attacker is not
Dialogue: 0,0:49:23.31,0:49:29.23,Default,,0000,0000,0000,,necessarily the NSA or so, right? It can\Nbe just, I don't know, Cybercrime people or
Dialogue: 0,0:49:29.23,0:49:35.36,Default,,0000,0000,0000,,so. I mean we we basically came up with\Nthese attacks with 8 people abd the better
Dialogue: 0,0:49:35.36,0:49:40.27,Default,,0000,0000,0000,,part of a year. Which is not you know,\Nwhich is a lot of research actually but
Dialogue: 0,0:49:40.27,0:49:44.52,Default,,0000,0000,0000,,it's not like comparable to a nation\Nstate. Right. So if you're targeted by a
Dialogue: 0,0:49:44.52,0:49:50.42,Default,,0000,0000,0000,,motivated attacker and if you say yeah you\Nare probably targeted by motivated
Dialogue: 0,0:49:50.42,0:49:55.15,Default,,0000,0000,0000,,attackers then avoid e-mail in total.\NE-mail is not made for secure
Dialogue: 0,0:49:55.15,0:50:01.99,Default,,0000,0000,0000,,communication. Okay. If you can't avoid it\Nand there's people who can't avoid using
Dialogue: 0,0:50:01.99,0:50:06.79,Default,,0000,0000,0000,,e-mail they can't just use signal or any\Nother chat client, then definitely use
Dialogue: 0,0:50:06.79,0:50:15.00,Default,,0000,0000,0000,,OpenPGP and encrypt and decrypt outside of\Nthe mail client. If you are probably not
Dialogue: 0,0:50:15.00,0:50:21.96,Default,,0000,0000,0000,,targeted by motivated attackers, which is\Nmost of you and I presume I would count to
Dialogue: 0,0:50:21.96,0:50:27.51,Default,,0000,0000,0000,,the same people here, definitely prefer\NOpenPGP over S/mime because S/mime remains
Dialogue: 0,0:50:27.51,0:50:32.37,Default,,0000,0000,0000,,broken. Right, there is a standard coming\Nup which fixes most of the stuff. Disable
Dialogue: 0,0:50:32.37,0:50:39.21,Default,,0000,0000,0000,,HTML for encrypted emails and this is like\Nnot that easy. Note that most email
Dialogue: 0,0:50:39.21,0:50:45.44,Default,,0000,0000,0000,,clients use HTML by default and it might\Nbe okay if you fix it, the people that I
Dialogue: 0,0:50:45.44,0:50:51.02,Default,,0000,0000,0000,,hear in the audience. But think of all the\Npeople who are not here in this audience,
Dialogue: 0,0:50:51.02,0:50:56.26,Default,,0000,0000,0000,,who are not technically versed and so on\Nand so on and they will not disable HTML,
Dialogue: 0,0:50:56.26,0:51:00.80,Default,,0000,0000,0000,,right. So be careful with attachments\Nwhich is also very difficult, how can you
Dialogue: 0,0:51:00.80,0:51:05.36,Default,,0000,0000,0000,,be careful with attachments. Right. This\Nis not very good. And don't top post,
Dialogue: 0,0:51:05.36,0:51:12.59,Default,,0000,0000,0000,,don't cite text in a reply. Okay. That was\Nmy talk. If you want to meet us afterwards
Dialogue: 0,0:51:12.59,0:51:16.67,Default,,0000,0000,0000,,we're gonna go to the Chaos West. There's\Na huge and lighted palm and we'll be there
Dialogue: 0,0:51:16.67,0:51:23.02,Default,,0000,0000,0000,,if you have questions you can ask us\Nthere. Thank you very much.
Dialogue: 0,0:51:23.02,0:51:33.19,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:51:33.19,0:51:37.78,Default,,0000,0000,0000,,Herald: Thanks a lot Sebastian, for this\Ninteresting talk. We still have some time
Dialogue: 0,0:51:37.78,0:51:41.96,Default,,0000,0000,0000,,for questions, so if you would like to ask\Nsome questions to Sebastian then please
Dialogue: 0,0:51:41.96,0:51:47.17,Default,,0000,0000,0000,,queue up behind the microphones, and\Nplease try to be concise with your
Dialogue: 0,0:51:47.17,0:51:51.32,Default,,0000,0000,0000,,question, and please get close to the\Nmicrophone, because the mixing Angel in
Dialogue: 0,0:51:51.32,0:51:56.18,Default,,0000,0000,0000,,the back is able to make it quieter, but\Nhardly much louder, if your distance is
Dialogue: 0,0:51:56.18,0:51:59.05,Default,,0000,0000,0000,,not right. So let's start with microphone\Nnumber 2.
Dialogue: 0,0:51:59.05,0:52:05.95,Default,,0000,0000,0000,,Microphone 2: Test, test. Hello. I'm\Nactually tested the HTML exfiltrate you
Dialogue: 0,0:52:05.95,0:52:18.59,Default,,0000,0000,0000,,described. But I found out, in\NThunderbird, the HTML parsing of
Dialogue: 0,0:52:18.59,0:52:20.95,Default,,0000,0000,0000,,Thunderbird was actually helping against\Nthe attack, because the word tags was just
Dialogue: 0,0:52:20.95,0:52:25.91,Default,,0000,0000,0000,,disabled any possibility to exfiltrate the\Nmessage, because there were some div tag,
Dialogue: 0,0:52:25.91,0:52:31.76,Default,,0000,0000,0000,,which is closing your image tag at every\Npoint in time
Dialogue: 0,0:52:31.76,0:52:37.14,Default,,0000,0000,0000,,Sebastian: Yeah, so, this is one of the\Nfixes, that they did. I mean it doesn't
Dialogue: 0,0:52:37.14,0:52:40.99,Default,,0000,0000,0000,,help with the cryptography, but it makes\Nthe exeltration a bit more difficult. If
Dialogue: 0,0:52:40.99,0:52:45.89,Default,,0000,0000,0000,,you want to do the testing, try the\Nversions from before May this year.
Dialogue: 0,0:52:45.89,0:52:48.94,Default,,0000,0000,0000,,Microphone 2: I did, I did with the old\Nversions.
Dialogue: 0,0:52:48.94,0:52:51.68,Default,,0000,0000,0000,,Sebastian: We can talk afterwards if you\Nwant, and I will show it to you.
Dialogue: 0,0:52:51.68,0:52:56.69,Default,,0000,0000,0000,,Herald: We are streaming all the talks on\Nthe Internet and we have people on the
Dialogue: 0,0:52:56.69,0:53:00.21,Default,,0000,0000,0000,,internet that would like to ask a\Nquestion, so please a question from the
Dialogue: 0,0:53:00.21,0:53:02.63,Default,,0000,0000,0000,,internet.\NSignal Angel: Yeah, so there were actually
Dialogue: 0,0:53:02.63,0:53:03.75,Default,,0000,0000,0000,,many questions in the direction of\Nproblems with MIME standards. So, like,
Dialogue: 0,0:53:03.75,0:53:05.04,Default,,0000,0000,0000,,what they were asking was basically\N"Woudn't the exploitation be prevented, if
Dialogue: 0,0:53:05.04,0:53:21.27,Default,,0000,0000,0000,,the email clients would handle the\Nstandart correctly?"
Dialogue: 0,0:53:21.27,0:53:26.79,Default,,0000,0000,0000,,Sebastian: Mhm, okay. So, I am not sure\Nwhether they meant the MIME standards or
Dialogue: 0,0:53:26.79,0:53:31.71,Default,,0000,0000,0000,,the S/MIME standards. So basically, the\NMIME standards are that one to blame for
Dialogue: 0,0:53:31.71,0:53:37.15,Default,,0000,0000,0000,,the direct exoltration attacks, were you\Nhave multiple MIME-parts that are mixed
Dialogue: 0,0:53:37.15,0:53:42.71,Default,,0000,0000,0000,,together, and the MIME standards don't\Nstate explicitly how to do this. So they
Dialogue: 0,0:53:42.71,0:53:48.34,Default,,0000,0000,0000,,don't have any rules of how to handle it,\Nand basically I think, as a rule of thumb,
Dialogue: 0,0:53:48.34,0:53:53.50,Default,,0000,0000,0000,,when you try to be concise and complete\Nwith implementing the MIME standard you
Dialogue: 0,0:53:53.50,0:53:58.68,Default,,0000,0000,0000,,were vulnerable, and if you were just lazy\Nand just for example decrypted the first
Dialogue: 0,0:53:58.68,0:54:04.11,Default,,0000,0000,0000,,MIME-part or so you were not vulnerable.\NSo, leaving out much of the stuff made you
Dialogue: 0,0:54:04.11,0:54:08.81,Default,,0000,0000,0000,,more secure, which is weird.\NHerald: Thank you for the answer. We have
Dialogue: 0,0:54:08.81,0:54:12.68,Default,,0000,0000,0000,,another question in this hall, on\Nmicrophone number 6, and please remember
Dialogue: 0,0:54:12.68,0:54:14.40,Default,,0000,0000,0000,,to be concise and get close to the\Nmicrophone.
Dialogue: 0,0:54:14.40,0:54:16.74,Default,,0000,0000,0000,,Microphone 6: What do you see\N{\i1}Audio feedback loop{\i0}
Dialogue: 0,0:54:16.74,0:54:19.75,Default,,0000,0000,0000,,Microphone 6: Sorry.\NHerald: Very good! We can always make it
Dialogue: 0,0:54:19.75,0:54:20.75,Default,,0000,0000,0000,,quieter.\N{\i1}Applause{\i0}
Dialogue: 0,0:54:20.75,0:54:22.27,Default,,0000,0000,0000,,Herald: {\i1}Laughing{\i0}
Dialogue: 0,0:54:22.27,0:54:25.97,Default,,0000,0000,0000,,Microphone 6: What do you see as a future
Dialogue: 0,0:54:25.97,0:54:31.43,Default,,0000,0000,0000,,replacement to PGP for email encryption?\NSebastian: So actually, we brainstormed a
Dialogue: 0,0:54:31.43,0:54:37.58,Default,,0000,0000,0000,,little, because PGP lacks many of the\Nmodern properties, like forward secrecy
Dialogue: 0,0:54:37.58,0:54:43.10,Default,,0000,0000,0000,,and stuff like this, but it turns out that\Nit's not very easy to do this. Especially
Dialogue: 0,0:54:43.10,0:54:50.08,Default,,0000,0000,0000,,not with - when you don't want to do\Nchanges to SMTP and IMAP. So, it's gonna
Dialogue: 0,0:54:50.08,0:54:57.07,Default,,0000,0000,0000,,be difficult. It's gonna be difficult to\Nmake it more secure than PGP, besides the
Dialogue: 0,0:54:57.07,0:55:04.93,Default,,0000,0000,0000,,critisism that I already brought in. So,\NE-Mail is not a very good protocol, or the
Dialogue: 0,0:55:04.93,0:55:09.07,Default,,0000,0000,0000,,protocols that are built in E-Mail are not\Na very good to build proper crypto on top
Dialogue: 0,0:55:09.07,0:55:12.65,Default,,0000,0000,0000,,of it.\NHerald: Thank you for this answer, so
Dialogue: 0,0:55:12.65,0:55:17.56,Default,,0000,0000,0000,,maybe we need build something entirely new\Nfrom scratch. There is another question on
Dialogue: 0,0:55:17.56,0:55:20.13,Default,,0000,0000,0000,,Microphone number 2, if I see this\Ncorrectly.
Dialogue: 0,0:55:20.13,0:55:26.46,Default,,0000,0000,0000,,Microphone 2: So, do I understand it\Ncorrectly, it looks like there won't be a
Dialogue: 0,0:55:26.46,0:55:33.05,Default,,0000,0000,0000,,fix for that multi part attacks, like\Nthere is the normal plain text the
Dialogue: 0,0:55:33.05,0:55:36.65,Default,,0000,0000,0000,,attacker writes, and then there is a\Nciphertext, which my mail client decrypts;
Dialogue: 0,0:55:36.65,0:55:40.65,Default,,0000,0000,0000,,there won't be a fix for that?\NSebastian: There is a fix, so the mail
Dialogue: 0,0:55:40.65,0:55:44.84,Default,,0000,0000,0000,,clients are fixed, so that's because\Nthat's a non-breaking fix, that's a good
Dialogue: 0,0:55:44.84,0:55:49.09,Default,,0000,0000,0000,,thing here. So you can't fix S/MIME, for\Nexample, because it would be a breaking
Dialogue: 0,0:55:49.09,0:55:55.02,Default,,0000,0000,0000,,fix, but you could fix the email clients,\Nwhich was a lot of work, because MIME
Dialogue: 0,0:55:55.02,0:55:59.19,Default,,0000,0000,0000,,parsers are very complex, but they fixed\Nit, so it's not supposed to work in
Dialogue: 0,0:55:59.19,0:56:03.47,Default,,0000,0000,0000,,current mail clients anymore. The direct\Nexfiltration part.
Dialogue: 0,0:56:03.47,0:56:08.38,Default,,0000,0000,0000,,Herald: So we still have quite some time\Nleft and so I would like to have another
Dialogue: 0,0:56:08.38,0:56:11.32,Default,,0000,0000,0000,,question form the internet.\NSignal Angel: Yes, so one user asked
Dialogue: 0,0:56:11.32,0:56:14.44,Default,,0000,0000,0000,,"would you recommend a better\Npath to integrate PGP into the E-Mail
Dialogue: 0,0:56:14.44,0:56:27.15,Default,,0000,0000,0000,,clients instead of using extensions?"\NSebastian: Yea. I'm not a - I mean
Dialogue: 0,0:56:27.15,0:56:31.92,Default,,0000,0000,0000,,I already talked about this that not many\Npeople use PGP. And also not many people
Dialogue: 0,0:56:31.92,0:56:36.75,Default,,0000,0000,0000,,use S/MIME.\NI'm not sure, whether this will be
Dialogue: 0,0:56:36.75,0:56:45.14,Default,,0000,0000,0000,,increased, when OpenPGP spilled into most\Nof the mail clients, because you could use
Dialogue: 0,0:56:45.14,0:56:50.75,Default,,0000,0000,0000,,S/MIME, you know. As soon as S/MIME is\Nfixed it will be fine to use S/MIME, and
Dialogue: 0,0:56:50.75,0:56:54.66,Default,,0000,0000,0000,,it's already in all the clients in there,\Nbut not many people use it.
Dialogue: 0,0:56:54.66,0:56:59.90,Default,,0000,0000,0000,,So it would be nice, if we could have it,\Nbut I'm not sure whether it would have
Dialogue: 0,0:56:59.90,0:57:06.91,Default,,0000,0000,0000,,much of an effect on the amount of people\Nwho use it. Herald Angel: Thank you. And
Dialogue: 0,0:57:06.91,0:57:10.85,Default,,0000,0000,0000,,we have another question from Microphone\Nnumber 7.
Dialogue: 0,0:57:10.85,0:57:16.82,Default,,0000,0000,0000,,Microphone 7: Yes, hello. So I work with\Njournalists - here! here! here!
Dialogue: 0,0:57:16.82,0:57:20.04,Default,,0000,0000,0000,,Herald Angel: There, in the very back.\NMicrophone 7: There, Hello. Hello.
Dialogue: 0,0:57:20.04,0:57:21.60,Default,,0000,0000,0000,,Sebastian: Hi. Oh, yeah hi. How's it\Ngoing?
Dialogue: 0,0:57:21.60,0:57:27.34,Default,,0000,0000,0000,,Microphone 7: So I work with journalists,\Nand May was very annoying, and I cannot
Dialogue: 0,0:57:27.34,0:57:32.37,Default,,0000,0000,0000,,stress enough how important it is to - the\Npoint you've made about communicating
Dialogue: 0,0:57:32.37,0:57:33.44,Default,,0000,0000,0000,,around disclosure.\NSebastion: Yeah
Dialogue: 0,0:57:33.44,0:57:37.47,Default,,0000,0000,0000,,Microphone 7: We were scrambling. I work\Nwith about 200 journalists, who use PGP
Dialogue: 0,0:57:37.47,0:57:40.71,Default,,0000,0000,0000,,daily, and we were scrambling for any bit\Nof information.
Dialogue: 0,0:57:40.71,0:57:43.12,Default,,0000,0000,0000,,Sebastian: Yeah.\NMicrophone 7: What, what should we do? It
Dialogue: 0,0:57:43.12,0:57:44.39,Default,,0000,0000,0000,,was, it was madness.\NSebastian: Yes.
Dialogue: 0,0:57:44.39,0:57:49.25,Default,,0000,0000,0000,,Microphone 7: But I actually have a\Nquestion. The question is: Have you played
Dialogue: 0,0:57:49.25,0:57:55.50,Default,,0000,0000,0000,,with Mailpile? I've read the, I've read\Nthe paper. In the paper Mailpile, I think
Dialogue: 0,0:57:55.50,0:58:01.70,Default,,0000,0000,0000,,I remember, was mentioned, and I vaguely\Nremember it was mentioned in a positive
Dialogue: 0,0:58:01.70,0:58:07.62,Default,,0000,0000,0000,,light, but I just want to make sure, if\Nthat's the right thing that I should get
Dialogue: 0,0:58:07.62,0:58:10.23,Default,,0000,0000,0000,,from this paper.\NSebastian: I don't know it on the top of
Dialogue: 0,0:58:10.23,0:58:15.91,Default,,0000,0000,0000,,my head, but if you come afterwards to\NChaos West we'll get out the paper and
Dialogue: 0,0:58:15.91,0:58:18.69,Default,,0000,0000,0000,,look at the tests, and then we can answer\Nthis question. Cool.
Dialogue: 0,0:58:18.69,0:58:22.06,Default,,0000,0000,0000,,Microphone 7: Thank you.\NHerald: Okay. We have another question on
Dialogue: 0,0:58:22.06,0:58:27.57,Default,,0000,0000,0000,,the microphone number 6.\NMicrophone 6: So, I'd like to know if
Dialogue: 0,0:58:27.57,0:58:37.05,Default,,0000,0000,0000,,there's any difference in the attack\Nsurface, regarding OpenPGP, if plain,
Dialogue: 0,0:58:37.05,0:58:47.19,Default,,0000,0000,0000,,like, plain PGP is used or PGP/MIME. For\Nexample if you set your E-Mail client to
Dialogue: 0,0:58:47.19,0:58:58.17,Default,,0000,0000,0000,,disallow decryption of inline PGP.\NSebastian: Yeah, that's a very good
Dialogue: 0,0:58:58.17,0:59:02.32,Default,,0000,0000,0000,,question.\NI mean the reply to attacker attack that I
Dialogue: 0,0:59:02.32,0:59:08.23,Default,,0000,0000,0000,,just showed at the last. The Q53 people\Ncame up with a version that worked with
Dialogue: 0,0:59:08.23,0:59:15.73,Default,,0000,0000,0000,,inline PGP, and we showed that it's also\Npossible with PGP/MIME. So, I wouldn't say
Dialogue: 0,0:59:15.73,0:59:22.17,Default,,0000,0000,0000,,- I mean, most of the people use PGP/MIME.\NInline PGP is not used anymore. The
Dialogue: 0,0:59:22.17,0:59:27.28,Default,,0000,0000,0000,,problem is, when you don't decrypt PGP,\Ninline PGP, then you have a problem when
Dialogue: 0,0:59:27.28,0:59:32.52,Default,,0000,0000,0000,,people use PGP at an external application.\NThey can't copy and paste the ciphertext
Dialogue: 0,0:59:32.52,0:59:37.17,Default,,0000,0000,0000,,in there anymore, which is also very\Nannoying. And I also told you that it's, I
Dialogue: 0,0:59:37.17,0:59:40.91,Default,,0000,0000,0000,,think it's a very good idea to do this\Noutside of the mail client, if you're in
Dialogue: 0,0:59:40.91,0:59:47.59,Default,,0000,0000,0000,,a, if you face motivated attackers. So,\Nit's not that easy. it would be a breaking
Dialogue: 0,0:59:47.59,0:59:50.38,Default,,0000,0000,0000,,change that wouldn't, maybe not be too\Ngood.
Dialogue: 0,0:59:50.38,0:59:54.25,Default,,0000,0000,0000,,Microphone 6: Okay. Thanks.\NSebastian: Okay.
Dialogue: 0,0:59:54.25,0:59:58.66,Default,,0000,0000,0000,,Herald: Thanks a lot for this answer. I\Nthink we are done with all the questions
Dialogue: 0,0:59:58.66,1:00:03.33,Default,,0000,0000,0000,,from the hall. If you like to continue the\Ndiscussion with Sebastian Schinzel, you
Dialogue: 0,1:00:03.33,1:00:09.15,Default,,0000,0000,0000,,may move yourself to the assembly of Chaos\NWest in the next hall in this direction.
Dialogue: 0,1:00:09.15,1:00:11.98,Default,,0000,0000,0000,,And now please give a big round of\Napplause for Sebastian Schinzel and the
Dialogue: 0,1:00:11.98,1:00:14.88,Default,,0000,0000,0000,,awesome team behind.\N{\i1}Applause{\i0}
Dialogue: 0,1:00:14.88,1:00:18.82,Default,,0000,0000,0000,,{\i1}Outro plays{\i0}
Dialogue: 0,1:00:18.82,1:00:38.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2020. Join, and help us!