Announcement

Collapse
No announcement yet.

PGP and S/MIME vulnerabilities found

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    PGP and S/MIME vulnerabilities found

    https://www.eff.org/deeplinks/2018/0...ake-action-now

    I have never used e-mail encryption myself. I think nowadays there are easier ways to do encrypted communications with others such as using secure messengers like Wire or Signal.

    #2
    PGP and S/MIME vulnerabilities found

    https://lists.gnupg.org/pipermail/gn...ay/060315.html
    Has the complete dope. Read the entire chain. Surprising that the authors of the research didn’t adequately communicate with the GPG/PGP Team beforehand.

    I suspect the patch will be out shortly.

    From my POV a simple solution is to replace the / in a link with # before you send it. This will prevent the email client from automatically attempting to display the remote HTML page. The recipient can decide if the want to reverse the switch and open the link with a browser running in a sandbox like firejail.

    GnuPG gives an MDA warning but the encryption plugins don’t honor it.
    Last edited by GreyGeek; May 14, 2018, 06:37 AM.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    Comment


      #3
      Couple more links: https://efail.de/

      https://www.eff.org/deeplinks/2018/0...and-pgp-flaw-0

      Comment


        #4
        Originally posted by Bings View Post
        Couple more links: https://efail.de/

        ...
        That source claims that KMail and ProtonMail, among others, are not affected by this bug. Other sources I've read state that they are.

        Posting this partial reveal today and reserving the full reveal for tomorrow, without having adequately informed GPG, GnuGP and PGP is irresponsible and smacks of strutting on stage for personal glory, IMO. "Look at us, look at what WE found!". Then being coy and stating that their Tweets were "carefully crafted" when asked to elaborate on specifics the user could take to mitigate the danger until tomorrow? Shame on them!

        Walter Koch, creator of GnuGP, has a thread on this announcement. Following the thread through to the last msg is very informative:
        https://lists.gnupg.org/pipermail/gn...ay/060315.html

        The first is very informative and describes the MDC (Modification detection code), and how it works and how some email clients ignore the warnings.

        For those who are not aware: PGP was released in 1991 by Phil Zimmerman as a proprietary tool. He left PGP in 1997 when he released the open sourced OpenPGP. Meanwhile, PGP changed hands several times over the years until 2010, when Symantec bought it. In 1999 Walter Koch released the open sourced GnuGP as an alternative to PGP before Symantec bought it. The OpenPGP standards was established by the IETF so that it would be interoperable with Symantec's PGP tools as well as OpenPGP standards. Therefore, PGP, GnuPG and OpenPGP can open and unencrypt any OpenPGP standards file.

        Personally, I've tried encryption on KMail in the past just to see how it works, and it worked beautifully. But, it only works if you keep the key you used to decrypt the email. If you revoke it or lose it and create and install another key then those previously encrypted emails aren't decrypted when you next try to see them. I stopped encrypting or signing my emails a couple years ago, primarily because I never send what I'd consider to be very private info: SSN, CC#, etc., by email, and encrypting ordinary email is, for me, a waste of CPU cycles.
        Last edited by GreyGeek; May 14, 2018, 02:29 PM.
        "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
        – John F. Kennedy, February 26, 1962.

        Comment


          #5
          Another view of the PGP email problem:
          https://www.securitynow.com/author.a...&doc_id=743111
          "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
          – John F. Kennedy, February 26, 1962.

          Comment

          Working...
          X