EmailDiscussions.com - PGP/GPG and S/MIME vulnerability

EmailDiscussions.com (http://www.emaildiscussions.com/index.php)

- Email Comments, Questions and Miscellaneous (http://www.emaildiscussions.com/forumdisplay.php?f=8)

- - PGP/GPG and S/MIME vulnerability (http://www.emaildiscussions.com/showthread.php?t=73746)

PGP/GPG and S/MIME vulnerability

EFF's says, in the article quoted by the OP:

Quote:

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

How many people bother with PGP in general, and using it for email encryption in particular?

Quote:

Originally Posted by janusz (Post 606550)

EFF's says, in the article quoted by the OP:

How many people bother with PGP in general, and using it for email encryption in particular?

I´m using it in 1 of my email accounts. Now it´s disabled until...

OK, so it's fair to assume some of your friends use it too ...;)

Anyway, an explainer is here.

Quote:

Originally Posted by janusz (Post 606552)

OK, so it's fair to assume some of your friends use it too ...;)

Anyway, an explainer is here.

Thanks for the link :)

GnuPG official statement

The last sentence of the GnuPG official statement says (my emphasis):

Quote:

A whole lot of people got scared, and over very little.

[OpenPGP] Email clients vulnerable / not-vulnerable.
https://efail.de/media/efail-disclosure-pgp.png

On the S/MIME side, only Claws and Mutt were found not vulnerable.

Efail
- Mitigations

From the GnuPG statement:

1. This paper is misnamed. It's not an attack on OpenPGP. It's an attack on broken email clients that ignore GnuPG's warnings and do silly things after being warned.

2. This attack targets buggy email clients. Correct use of the MDC completely prevents this attack. GnuPG has had MDC support since the summer of 2000.

My first reaction was oh my, also a little bit of yet another (not really) scare to the masses. After reading a bit, in particular the OpenPGP response and this series of tweets:

Quote:

Jan “I am my own bot” Wildeboer
‏ @jwildeboer
20h20 hours ago
Replying to @seecurity @x0rz

Why the drama? Why not simply release the details now instead of Hollywood style „come back tomorrow for more!“
3 replies 3 retweets 71 likes
Sebastian Schinzel
‏ @seecurity
20h20 hours ago

Because of the reasons you'll learn tomorrow.
9 replies 4 retweets 61 likes
Jan “I am my own bot” Wildeboer
‏ @jwildeboer
19h19 hours ago

EFF focuses on PGP, while you also mention S/MIME. I gather standalone use of GPG/PGP is safe? If yes, that should be made very clear. Or should we stop signing rpms, git commits with GPG too?
3 replies 2 retweets 21 likes
Sebastian Schinzel
‏ @seecurity
19h19 hours ago

The tweets and blog posts were written very carefully. Please also read them carefully. They contain anything you need to know until tomorrow.
2 replies 2 retweets 33 likes

I am going with yet another (not really scare).

I see by the report https://efail.de/ that as the OpenPGP folks state it a buggy email thing. It also bugs me a bit that a web site was created just for this. Wow! That really means it must be bad. This plays in fo fear big time. Just reading the web site has me want to run for cover.

Quote:

Originally Posted by janusz (Post 606556)

The last sentence of the GnuPG official statement says (my emphasis): A whole lot of people got scared, and over very little.

Pretty much sums it up.

On a plus side. My client is not vulnerable.

Quote:

Originally Posted by pjwalsh (Post 606565)

No, PGP is not broken, not even with the Efail vulnerabilities
ProtonMail Blog, May 14

Good article.

Enigmail was updated yesterday to correct for the vulnerability (May 16, v2.0.4).
https://enigmail.net/index.php/en/download/changelog

Mailvelope, the OpenPGP extension for Chrome and Firefox, was not subject to the Efail vulnerabilities.
https://www.mailvelope.com/en/blog/i...-on-mailvelope

Mailfence: Blogpost in regards to Efail vulnerabilities.