EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > Email Comments, Questions and Miscellaneous
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

Email Comments, Questions and Miscellaneous Share your opinion of the email service you're using. Post general email questions and discussions that don't fit elsewhere.

Reply
 
Thread Tools
Old 14 May 2018, 05:48 PM   #1
edu
Senior Member
 
Join Date: Jun 2016
Posts: 170
PGP/GPG and S/MIME vulnerability

Bad news folks...

https://www.eff.org/deeplinks/2018/0...ake-action-now

https://twitter.com/seecurity/status/995906576170053633
edu is offline   Reply With Quote

Old 14 May 2018, 10:37 PM   #2
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,568
EFF's says, in the article quoted by the OP:
Quote:
Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.
How many people bother with PGP in general, and using it for email encryption in particular?
janusz is offline   Reply With Quote
Old 14 May 2018, 11:09 PM   #3
edu
Senior Member
 
Join Date: Jun 2016
Posts: 170
Quote:
Originally Posted by janusz View Post
EFF's says, in the article quoted by the OP:

How many people bother with PGP in general, and using it for email encryption in particular?
Im using it in 1 of my email accounts. Now its disabled until...
edu is offline   Reply With Quote
Old 15 May 2018, 01:05 AM   #4
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,568
OK, so it's fair to assume some of your friends use it too ...

Anyway, an explainer is here.
janusz is offline   Reply With Quote
Old 15 May 2018, 01:35 AM   #5
edu
Senior Member
 
Join Date: Jun 2016
Posts: 170
Quote:
Originally Posted by janusz View Post
OK, so it's fair to assume some of your friends use it too ...

Anyway, an explainer is here.
Thanks for the link
edu is offline   Reply With Quote
Old 15 May 2018, 03:13 AM   #6
edu
Senior Member
 
Join Date: Jun 2016
Posts: 170
GnuPG official statement

Please read:

https://lists.gnupg.org/pipermail/gn...ay/060334.html
edu is offline   Reply With Quote
Old 15 May 2018, 03:33 AM   #7
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,568
The last sentence of the GnuPG official statement says (my emphasis):
Quote:
A whole lot of people got scared, and over very little.
janusz is offline   Reply With Quote
Old 15 May 2018, 10:05 AM   #8
pjwalsh
Essential Contributor
 
Join Date: Dec 2008
Location: Canada
Posts: 272
[OpenPGP] Email clients vulnerable / not-vulnerable.
https://efail.de/media/efail-disclosure-pgp.png

On the S/MIME side, only Claws and Mutt were found not vulnerable.

Efail
- Mitigations

From the GnuPG statement:

1. This paper is misnamed. It's not an attack on OpenPGP. It's an attack on broken email clients that ignore GnuPG's warnings and do silly things after being warned.

2. This attack targets buggy email clients. Correct use of the MDC completely prevents this attack. GnuPG has had MDC support since the summer of 2000.

Last edited by pjwalsh : 16 May 2018 at 09:22 AM.
pjwalsh is offline   Reply With Quote
Old 15 May 2018, 12:39 PM   #9
chrisretusn
Cornerstone of the Community
 
Join Date: Aug 2006
Location: Philippines
Posts: 666
My first reaction was oh my, also a little bit of yet another (not really) scare to the masses. After reading a bit, in particular the OpenPGP response and this series of tweets:
Quote:
Jan “I am my own bot” Wildeboer
‏ @jwildeboer
20h20 hours ago
Replying to @seecurity @x0rz

Why the drama? Why not simply release the details now instead of Hollywood style „come back tomorrow for more!“
3 replies 3 retweets 71 likes
Sebastian Schinzel
‏ @seecurity
20h20 hours ago

Because of the reasons you'll learn tomorrow.
9 replies 4 retweets 61 likes
Jan “I am my own bot” Wildeboer
‏ @jwildeboer
19h19 hours ago

EFF focuses on PGP, while you also mention S/MIME. I gather standalone use of GPG/PGP is safe? If yes, that should be made very clear. Or should we stop signing rpms, git commits with GPG too?
3 replies 2 retweets 21 likes
Sebastian Schinzel
‏ @seecurity
19h19 hours ago

The tweets and blog posts were written very carefully. Please also read them carefully. They contain anything you need to know until tomorrow.
2 replies 2 retweets 33 likes
I am going with yet another (not really scare).

I see by the report https://efail.de/ that as the OpenPGP folks state it a buggy email thing. It also bugs me a bit that a web site was created just for this. Wow! That really means it must be bad. This plays in fo fear big time. Just reading the web site has me want to run for cover.

Quote:
Originally Posted by janusz View Post
The last sentence of the GnuPG official statement says (my emphasis): A whole lot of people got scared, and over very little.
Pretty much sums it up.

On a plus side. My client is not vulnerable.

Last edited by chrisretusn : 15 May 2018 at 12:49 PM.
chrisretusn is offline   Reply With Quote
Old 15 May 2018, 01:09 PM   #10
pjwalsh
Essential Contributor
 
Join Date: Dec 2008
Location: Canada
Posts: 272
No, PGP is not broken, not even with the Efail vulnerabilities
ProtonMail Blog, May 14
pjwalsh is offline   Reply With Quote
Old 16 May 2018, 02:04 PM   #11
chrisretusn
Cornerstone of the Community
 
Join Date: Aug 2006
Location: Philippines
Posts: 666
Quote:
Originally Posted by pjwalsh View Post
Good article.
chrisretusn is offline   Reply With Quote
Old 18 May 2018, 12:15 PM   #12
pjwalsh
Essential Contributor
 
Join Date: Dec 2008
Location: Canada
Posts: 272
Enigmail was updated yesterday to correct for the vulnerability (May 16, v2.0.4).
https://enigmail.net/index.php/en/download/changelog

Mailvelope, the OpenPGP extension for Chrome and Firefox, was not subject to the Efail vulnerabilities.
https://www.mailvelope.com/en/blog/i...-on-mailvelope
pjwalsh is offline   Reply With Quote
Old 22 May 2018, 01:23 AM   #13
Mailfence
Senior Member
 
Join Date: Jun 2016
Location: Belgium
Posts: 120

Representative of:
Mailfence.com
Mailfence: Blogpost in regards to Efail vulnerabilities.

Mailfence blogpost: Mailfence is not impacted by Efail vulnerabilities.
Mailfence is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 05:49 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy