Project

General

Profile

Bug #7103

Feature #5663: Return to Icedove

Feature #6148: Torbirdy in Debian

Verify that GnuPG does not leak timezone in email signatures

Added by geb over 5 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
04/17/2014
Due date:
% Done:

100%

Feature Branch:
Type of work:
Research
Blueprint:
Starter:
Yes
Affected tool:

Description

Hi,

TorBirdy design doc [1] is a mentions potential timezone leak by thunderbird. Otherwise there is no information about potential timezone leak by GPG. GPG includes time when it is used to sign content.

The PGP RFC [2] tell that time fields should be in UTC. In my tests, GPG and enigmail print the date in local format. So it would be interesting to verify if they fully respect RFC and send messages with date in UTC.

[1] https://trac.torproject.org/projects/tor/raw-attachment/wiki/doc/TorifyHOWTO/EMail/Thunderbird/Thunderbird%2BTor.pdf
[2] https://tools.ietf.org/html/rfc4880#section-3.5


Related issues

Related to Tails - Feature #6284: Display time in local timezone Confirmed 10/27/2015

History

#1 Updated by intrigeri over 5 years ago

  • Subject changed from Verify that GPG don't leaks timezone in signs to Verify that GnuPG does not leak timezone in email signatures
  • Status changed from New to Confirmed
  • Starter changed from No to Yes

#2 Updated by intrigeri over 5 years ago

Note that currently, all Tails systems run with UTC timezone. But still, in case users change this (even if that's unsupported), we might want to care a bit about it.

#3 Updated by intrigeri over 5 years ago

#4 Updated by Vox about 5 years ago

  • Assignee set to Vox

#5 Updated by intrigeri about 5 years ago

Vox, I'm glad you're tackling this :)

#6 Updated by Vox about 5 years ago

  • % Done changed from 0 to 20

#7 Updated by Vox about 5 years ago

  • % Done changed from 20 to 60

#8 Updated by Vox about 5 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 60 to 90

About to complete. Double checking work. As of now, every test I've done in Tails results in GPG reports signature generation times in UTC.

#9 Updated by sajolida about 5 years ago

  • Priority changed from High to Normal

#10 Updated by Vox about 5 years ago

  • % Done changed from 90 to 100
  • QA Check set to Ready for QA

It seems that in order to change the time information for signature generation a user would need to change the system clock time and not just displayed time setting (currently the same--UTC).

If users are given the option to change displayed time by means of the command to set the system clock/time; then that wodul be reflected in signatures generated. If there is an option for them to change a local displayed time without affecting the system clock; then, it appears UTC will still be reported in signature generation.

#11 Updated by sajolida about 5 years ago

It seems that in order to change the time information for signature
generation a user would need to change the system clock time and not
just displayed time setting (currently the same--UTC).

Then it would need to be root.

If there is an option for them to
change a local displayed time without affecting the system clock;
then, it appears UTC will still be reported in signature generation.

We are working on an applet that would only display local time, but
keep UTC as the real system time: #6284. So that would work.

#12 Updated by BitingBird about 5 years ago

  • Status changed from In Progress to Resolved
  • QA Check changed from Ready for QA to Pass

#13 Updated by intrigeri over 3 years ago

  • Assignee deleted (Vox)

Also available in: Atom PDF