|
Email Comments, Questions and Miscellaneous Share your opinion of the email service you're using. Post general email questions and discussions that don't fit elsewhere. |
|
Thread Tools |
14 May 2018, 04:48 PM | #1 |
Senior Member
Join Date: Jun 2016
Posts: 194
|
PGP/GPG and S/MIME vulnerability
|
14 May 2018, 09:37 PM | #2 | |
The "e" in e-mail
Join Date: Feb 2006
Location: EU
Posts: 4,945
|
EFF's says, in the article quoted by the OP:
Quote:
|
|
14 May 2018, 10:09 PM | #3 |
Senior Member
Join Date: Jun 2016
Posts: 194
|
|
15 May 2018, 12:05 AM | #4 |
The "e" in e-mail
Join Date: Feb 2006
Location: EU
Posts: 4,945
|
|
15 May 2018, 12:35 AM | #5 | |
Senior Member
Join Date: Jun 2016
Posts: 194
|
Quote:
|
|
15 May 2018, 02:13 AM | #6 |
Senior Member
Join Date: Jun 2016
Posts: 194
|
GnuPG official statement
|
15 May 2018, 02:33 AM | #7 | |
The "e" in e-mail
Join Date: Feb 2006
Location: EU
Posts: 4,945
|
The last sentence of the GnuPG official statement says (my emphasis):
Quote:
|
|
15 May 2018, 09:05 AM | #8 |
Essential Contributor
Join Date: Dec 2008
Location: Canada
Posts: 312
|
[OpenPGP] Email clients vulnerable / not-vulnerable.
https://efail.de/media/efail-disclosure-pgp.png On the S/MIME side, only Claws and Mutt were found not vulnerable. Efail - Mitigations From the GnuPG statement: 1. This paper is misnamed. It's not an attack on OpenPGP. It's an attack on broken email clients that ignore GnuPG's warnings and do silly things after being warned. 2. This attack targets buggy email clients. Correct use of the MDC completely prevents this attack. GnuPG has had MDC support since the summer of 2000. Last edited by pjwalsh : 16 May 2018 at 08:22 AM. |
15 May 2018, 11:39 AM | #9 | ||
Cornerstone of the Community
Join Date: Aug 2006
Location: Philippines
Posts: 846
|
My first reaction was oh my, also a little bit of yet another (not really) scare to the masses. After reading a bit, in particular the OpenPGP response and this series of tweets:
Quote:
I see by the report https://efail.de/ that as the OpenPGP folks state it a buggy email thing. It also bugs me a bit that a web site was created just for this. Wow! That really means it must be bad. This plays in fo fear big time. Just reading the web site has me want to run for cover. Quote:
On a plus side. My client is not vulnerable. Last edited by chrisretusn : 15 May 2018 at 11:49 AM. |
||
15 May 2018, 12:09 PM | #10 |
Essential Contributor
Join Date: Dec 2008
Location: Canada
Posts: 312
|
No, PGP is not broken, not even with the Efail vulnerabilities
ProtonMail Blog, May 14 |
16 May 2018, 01:04 PM | #11 | |
Cornerstone of the Community
Join Date: Aug 2006
Location: Philippines
Posts: 846
|
Quote:
|
|
18 May 2018, 11:15 AM | #12 |
Essential Contributor
Join Date: Dec 2008
Location: Canada
Posts: 312
|
Enigmail was updated yesterday to correct for the vulnerability (May 16, v2.0.4).
https://enigmail.net/index.php/en/download/changelog Mailvelope, the OpenPGP extension for Chrome and Firefox, was not subject to the Efail vulnerabilities. https://www.mailvelope.com/en/blog/i...-on-mailvelope |
22 May 2018, 12:23 AM | #13 |
Senior Member
Join Date: Jun 2016
Location: Belgium
Posts: 152
Representative of:
Mailfence.com |
Mailfence: Blogpost in regards to Efail vulnerabilities.
Mailfence blogpost: Mailfence is not impacted by Efail vulnerabilities.
|