Yes, we can validate leaked emails

Post Syndicated from original https://blog.erratasec.com/2020/10/yes-we-can-validate-leaked-emails.html

When emails leak, we can know whether they are authenticate or forged. It’s the first question we should ask of today’s leak of emails of Hunter Biden. It has a definitive answer.

Today’s emails have “cryptographic signatures” inside the metadata. Such signatures have been common for the past decade as one way of controlling spam, to verify the sender is who they claim to be. These signatures verify not only the sender, but also that the contents have not been altered. In other words, it authenticates the document, who sent it, and when it was sent.

Crypto works. The only way to bypass these signatures is to hack into the servers. In other words, when we see a 6 year old message with a valid Gmail signature, we know either (a) it’s valid or (b) they hacked into Gmail to steal the signing key. Since (b) is extremely unlikely, and if they could hack Google, they could a ton more important stuff with the information, we have to assume (a).

Trending
Telstar 1 – The Satellite That Changed the World

Your email client normally hides this metadata from you, because it’s boring and humans rarely want to see it. But it’s still there in the original email document. An email message is simply a text document consisting of metadata followed by the message contents.

It takes no special skills to see metadata. If the person has enough skill to export the email to a PDF document, they have enough skill to export the email source. If they can upload the PDF to Scribd (as in the story), they can upload the email source. I show how to below.

To show how this works, I send an email using Gmail to my private email server (from gmail.com to robertgraham.com).

The NYPost story shows the email printed as a PDF document. Thus, I do the same thing when the email arrives on my MacBook, using the Apple “Mail” app. It looks like the following:

The “raw” form originally sent from my Gmail account is simply a text document that looked like the following:

This is rather simple. Client’s insert details like a “Message-ID” that humans don’t care about. There’s also internal formatting details, like the fact that this is a “plain text” message rather than an “HTML” email.

But this raw document was the one sent by the Gmail web client. It then passed through Gmail’s servers, then was passed across the Internet to my private server, where I finally retrieved it using my MacBook.
As email messages pass through servers, the servers add their own metadata.
When it arrived, the “raw” document looked like the following. None of the important bits changed, but a lot more metadata was added:

The bit you care about here is the “DKIM-Signature:” metadata.

This is added by Gmail’s servers, for anything sent from gmail.com. It “authenticates” or “verifies” that this email actually did come from those servers, and that the essential content hasn’t been altered. The long strings of random-looking characters are the “cryptographic signature”. That’s what all crypto is based upon — long chunks of random-looking data.

To extract this document, I used Apple’s “Mail” client program and selected “Save As…” from the “File” menu, saving as “Raw Message Source”.

I uploaded this this document to Scrib so that anybody can download and play with it, such as verifying the signature.
To verify the email signature, I simply open the email document using Thunderbird (Firefox’s email client) with the “DKIM Verifier” extension, which validates that the signature is indeed correct. Thus we see it’s a valid email sent by Gmail and that the key headers have not been changed:

The same could be done with those emails from the purported Hunter Biden laptop. If they can be printed as a PDF (as in the news story) then they can also be saved in raw form and have their DKIM signatures verified.

This sort of thing is extraordinarily easy, something anybody with minimal computer expertise can accomplish. It would go a long way to establishing the credibility of the story, proving that the emails were not forged. The lack leads me to believe that nobody with minimal computer expertise was involved in the story.
The story contains the following paragraph about one of the emails recovered from the drive (the smoking gun claiming Pozharskyi met Joe Biden), claiming how it was “allegedly sent”. Who alleges this? If they have the email with a verifiable DKIM signature, no “alleging” is needed — it’s confirmed. Since Pozharskyi used Gmail, we know the original would have had a valid signature.

The lack of unconfirmed allegations that could be confirmed seems odd for a story of this magnitude.

Note that the NYPost claims to have a copy of the original, so they should be able to do this sort of verification:

However, while they could in theory, it appears they didn’t in practice. The PDF displayed in the story is up on Scribd, allowing anybody to download it. PDF’s, like email, also have metadata, which most PDF viewers will show you. It appears this PDF was not created after Sunday when the NYPost got the hard drive, but back in September when Trump’s allies got the hard drive.

Conclusion

It takes no special skills to do any of this. If the person has enough skill to export the email to a PDF document, they have enough skill to export the email source. Instead of “Export to PDF”, select “Save As … Raw Message Source”. Instead of uploading the .pdf file, upload the resulting .txt to Scribd.
At this point, a journalist wouldn’t need to verify DKIM, or consult an expert: anybody could verify it. There a ton of tools out there that can simply load that raw source email and verify it, such as the Thunderbird example I did above.