Mailvelope v0.8.0 is now based on a new version of OpenPGP.js after a major redesign of the library. With its modular design, a new high level API, improved compatibility to the OpenPGP standard and various other improvements we now have a solid foundation for the future development of Mailvelope.
Security Audit of OpenPGP.js
In February 2014 Cure53 conducted an audit of the complete code base of OpenPGP.js. The penetration test yielded an overall of 26 issues. All critical, high and medium issues have been fixed. The complete report and status of the bug fixing can be found in the OpenPGP.js wiki. We continue to disclose all security audits to provide best possible transparency in our development process. See here also statement from OTF on "Bringing Openness to Security".
Impact of found vulnerabilities
Spoofing of cleartext signed messages: Mailvelope does not support verification of cleartext signed messages as of now and therefore was never vulnerable to this attack.
EME-PKCS1-v1_5 padding with weak random numbers: messages sent with Mailvelope prior to v0.8.0 are vulnerable to the "known padding" (aka "stereotyped message") case, an attack to recover the encrypted message is possible due to Coppersmith. However, the attack is only feasible if the used RSA key meets a certain "at-risk" condition:
An RSA encryption key is at risk if its modulus size is >= 256 times its public exponent. This condition is not met by most PGP keys. Probably fewer than 1/1000 PGP keys are "at-risk".Trevor Perrin, OTF Red Team
The complete analysis on the EME-PKCS1-v1_5 padding bug is available in the Mailvelope wiki.
Keys generated with Mailvelope have a higher exponent and are therefore "safe". Also the found numbers suggest that RSA keys generated with most modern software after the year 2000 are not in a risk condition.
The risk is further mitigated by the fact that, for Mailvelope on Google Chrome, a recovery of the padding is only possible for messages created within the same browser session. That means, given a target message from a "at-risk" key, an attacker requires the padding from a second regularly decrypted message created in the same browser session as the target message.
Signing of cleartext messages
The Mailvelope editor now allows the signing of messages.
Make now a backup of your keyring with the Export all keys feature.
Thanks go to all contributors of release v0.8.0, especially to the Open Technology Fund (RFA) for sponsoring the project. The Cure53 team for the thorough review and the improvements brought to OpenPGP.js. Also thanks to Trevor Perrin for further security analysis and assistance.