EmailDiscussions.com

EmailDiscussions.com (http://www.emaildiscussions.com/index.php)
-   Email Comments, Questions and Miscellaneous (http://www.emaildiscussions.com/forumdisplay.php?f=8)
-   -   PGP/GPG and S/MIME vulnerability (http://www.emaildiscussions.com/showthread.php?t=73746)

edu 14 May 2018 05:48 PM

PGP/GPG and S/MIME vulnerability
 
Bad news folks...

https://www.eff.org/deeplinks/2018/0...ake-action-now

https://twitter.com/seecurity/status/995906576170053633

janusz 14 May 2018 10:37 PM

EFF's says, in the article quoted by the OP:
Quote:

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.
How many people bother with PGP in general, and using it for email encryption in particular?

edu 14 May 2018 11:09 PM

Quote:

Originally Posted by janusz (Post 606550)
EFF's says, in the article quoted by the OP:

How many people bother with PGP in general, and using it for email encryption in particular?

Im using it in 1 of my email accounts. Now its disabled until...

janusz 15 May 2018 01:05 AM

OK, so it's fair to assume some of your friends use it too ...;)

Anyway, an explainer is here.

edu 15 May 2018 01:35 AM

Quote:

Originally Posted by janusz (Post 606552)
OK, so it's fair to assume some of your friends use it too ...;)

Anyway, an explainer is here.

Thanks for the link :)

edu 15 May 2018 03:13 AM

GnuPG official statement
 
Please read:

https://lists.gnupg.org/pipermail/gn...ay/060334.html

janusz 15 May 2018 03:33 AM

The last sentence of the GnuPG official statement says (my emphasis):
Quote:

A whole lot of people got scared, and over very little.

pjwalsh 15 May 2018 10:05 AM

[OpenPGP] Email clients vulnerable / not-vulnerable.
https://efail.de/media/efail-disclosure-pgp.png

On the S/MIME side, only Claws and Mutt were found not vulnerable.

Efail
- Mitigations

From the GnuPG statement:

1. This paper is misnamed. It's not an attack on OpenPGP. It's an attack on broken email clients that ignore GnuPG's warnings and do silly things after being warned.

2. This attack targets buggy email clients. Correct use of the MDC completely prevents this attack. GnuPG has had MDC support since the summer of 2000.

chrisretusn 15 May 2018 12:39 PM

My first reaction was oh my, also a little bit of yet another (not really) scare to the masses. After reading a bit, in particular the OpenPGP response and this series of tweets:
Quote:

Jan “I am my own bot” Wildeboer
‏ @jwildeboer
20h20 hours ago
Replying to @seecurity @x0rz

Why the drama? Why not simply release the details now instead of Hollywood style „come back tomorrow for more!“
3 replies 3 retweets 71 likes
Sebastian Schinzel
‏ @seecurity
20h20 hours ago

Because of the reasons you'll learn tomorrow.
9 replies 4 retweets 61 likes
Jan “I am my own bot” Wildeboer
‏ @jwildeboer
19h19 hours ago

EFF focuses on PGP, while you also mention S/MIME. I gather standalone use of GPG/PGP is safe? If yes, that should be made very clear. Or should we stop signing rpms, git commits with GPG too?
3 replies 2 retweets 21 likes
Sebastian Schinzel
‏ @seecurity
19h19 hours ago

The tweets and blog posts were written very carefully. Please also read them carefully. They contain anything you need to know until tomorrow.
2 replies 2 retweets 33 likes
I am going with yet another (not really scare).

I see by the report https://efail.de/ that as the OpenPGP folks state it a buggy email thing. It also bugs me a bit that a web site was created just for this. Wow! That really means it must be bad. This plays in fo fear big time. Just reading the web site has me want to run for cover.

Quote:

Originally Posted by janusz (Post 606556)
The last sentence of the GnuPG official statement says (my emphasis): A whole lot of people got scared, and over very little.

Pretty much sums it up.

On a plus side. My client is not vulnerable.

pjwalsh 15 May 2018 01:09 PM

No, PGP is not broken, not even with the Efail vulnerabilities
ProtonMail Blog, May 14

chrisretusn 16 May 2018 02:04 PM

Quote:

Originally Posted by pjwalsh (Post 606565)

Good article.

pjwalsh 18 May 2018 12:15 PM

Enigmail was updated yesterday to correct for the vulnerability (May 16, v2.0.4).
https://enigmail.net/index.php/en/download/changelog

Mailvelope, the OpenPGP extension for Chrome and Firefox, was not subject to the Efail vulnerabilities.
https://www.mailvelope.com/en/blog/i...-on-mailvelope

Mailfence 22 May 2018 01:23 AM

Mailfence: Blogpost in regards to Efail vulnerabilities.
 
Mailfence blogpost: Mailfence is not impacted by Efail vulnerabilities.


All times are GMT +9. The time now is 05:58 PM.


Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy