## 2018-09-29

### For your and the others' safety

I use gmail and I was doing some cleaning to get rid of past things I don't need anymore, until I saw this message:

I am sure that this file (which is a password protected rar archive) is safe and doesn't contain anything dangerous. And by the way I was able to download it in the past. But why is it now blocked? Because now gmail isn't happy with password protected archives. For your safety, of course…

I wanted to check my attachments, too: sometimes I use gmail to send to myself archives of things both in order to transfer them from a computer to another and to keep them in (another) “cloudy” place.

Some of them can't be downloaded neither. Most of them aren't password protected. They are just archives, but it happens they contain other (not password protected) archives. And this is another category now Google isn't happy with. Always for your safety…

The message makes you think there's some kind of danger, but it's false. There isn't any threat in any of those files, and password protected archives or archives in archives in general aren't dangerous per se.

Also, consider that this isn't a warning: you can't decide to ignore it and download the file anyway at your risk. In fact the download is actually disabled. Your data aren't yours: they can decide if you can, or you can't, use them at your will. For your own safety, and for the safety of the people you could damage, of course…

## What can I do?

You can consider those files as kidnapped by Google, especially if they were files you was able to send and receive and download without any problems in the past.

Good news: paying a ransom you can get them back.

One way to pay is explained here:

This is a very high price, though.

A little bit cheaper is to use the mobile App: the download is blocked from the browser (i.e., from the webapp), not from the GMail mobile App, where you indeed also save the attachment to Google Drive (tested on Adroid, I don't know if it works on other mobile systems too). Then from Google Drive is fine, even from the browser, to download the file.

These work, but aren't the right solutions. The only right solution is that gmail allows again (as it did before) for password protected archives and for archives containing archives.

## Tricking

So far for the old attachments you have in your gmail account… Now, how do you send an archive containing other archives, or a password protected archive?

First of all, it seems very concerned by extentions, not content. If you take a plain text file and you call it plaintext.exe, gmail says blocked for security reasons. But it is a just a text file, I swear!

If you take this innocent plaintext.exe file and you put into a tar, it gets blocked, too. If you rename it to plaintext.txt, it's fine.

You can attach executable if you don't use the .exe extension: I've tried both with ELF and PE.

Archives must not contain “dangerous” files, and if you try to conceal the content by using a password, it blocks the attachment. It doesn't block password protected zip archives, provided that they don't contain the disallowed extensions. This must be because zip encryption (which isn't secure) doesn't crypt archive content, so that Google is still able to list the content and decide if it dangerous (based on just the extension, MS Windows style…)

In fact it blocks 7z protected archives created with the -mhe=on option, since in this case 7z encrypts also the contents' list.

Now I have this 7z archive, encrypted with -mhe=on, and I want to send it anyway. Changed the extension and it worked!

You are going to use odd, maybe more than three characters long extensions for your attachment. Until Google will decide to look deeper. In this case, let's encrypt attachment with gpg, and if this won't be good for them, let's make the attachment look like garbage.

Maybe xorring each byte will be enough, and if it isn't, we can invent unconventional xorring patterns, and attach the source code of the de-xorring altogether with the xorred attachment.