Bug #7103

Verify that GnuPG does not leak timezone in email signatures

Added by geb 2014-04-17 14:15:10 . Updated 2016-05-10 04:30:53 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2014-04-17
Due date:
% Done:

100%

Feature Branch:
Type of work:
Research
Blueprint:

Starter:
1
Affected tool:
Deliverable for:
268

Description

Hi,

TorBirdy design doc [1] is a mentions potential timezone leak by thunderbird. Otherwise there is no information about potential timezone leak by GPG. GPG includes time when it is used to sign content.

The PGP RFC [2] tell that time fields should be in UTC. In my tests, GPG and enigmail print the date in local format. So it would be interesting to verify if they fully respect RFC and send messages with date in UTC.

[1] https://trac.torproject.org/projects/tor/raw-attachment/wiki/doc/TorifyHOWTO/EMail/Thunderbird/Thunderbird%2BTor.pdf
[2] https://tools.ietf.org/html/rfc4880#section-3.5

Subtasks

Related issues

Related to Tails - Feature #6284: Display time in local timezone Confirmed 2015-10-27

History

#1 Updated by intrigeri 2014-04-17 14:35:41

  • Subject changed from Verify that GPG don't leaks timezone in signs to Verify that GnuPG does not leak timezone in email signatures
  • Status changed from New to Confirmed
  • Starter changed from No to Yes

#2 Updated by intrigeri 2014-04-17 14:36:44

Note that currently, all Tails systems run with UTC timezone. But still, in case users change this (even if that’s unsupported), we might want to care a bit about it.

#3 Updated by intrigeri 2014-04-17 14:36:56

#4 Updated by Vox 2014-06-25 20:10:54

  • Assignee set to Vox

#5 Updated by intrigeri 2014-06-26 00:16:22

Vox, I’m glad you’re tackling this :)

#6 Updated by Vox 2014-06-27 16:07:22

  • % Done changed from 0 to 20

#7 Updated by Vox 2014-06-28 17:26:13

  • % Done changed from 20 to 60

#8 Updated by Vox 2014-06-30 16:54:12

  • Status changed from Confirmed to In Progress
  • % Done changed from 60 to 90

About to complete. Double checking work. As of now, every test I’ve done in Tails results in GPG reports signature generation times in UTC.

#9 Updated by sajolida 2014-07-10 20:24:10

  • Priority changed from High to Normal

#10 Updated by Vox 2014-08-05 16:36:08

  • % Done changed from 90 to 100
  • QA Check set to Ready for QA

It seems that in order to change the time information for signature generation a user would need to change the system clock time and not just displayed time setting (currently the same—UTC).

If users are given the option to change displayed time by means of the command to set the system clock/time; then that wodul be reflected in signatures generated. If there is an option for them to change a local displayed time without affecting the system clock; then, it appears UTC will still be reported in signature generation.

#11 Updated by sajolida 2014-08-06 08:50:10

> It seems that in order to change the time information for signature
> generation a user would need to change the system clock time and not
> just displayed time setting (currently the same—UTC).

Then it would need to be root.

> If there is an option for them to
> change a local displayed time without affecting the system clock;
> then, it appears UTC will still be reported in signature generation.

We are working on an applet that would only display local time, but
keep UTC as the real system time: Feature #6284. So that would work.

#12 Updated by BitingBird 2014-08-06 09:53:34

  • Status changed from In Progress to Resolved
  • QA Check changed from Ready for QA to Pass

#13 Updated by intrigeri 2016-05-10 04:30:53

  • Assignee deleted (Vox)