Slashdot Mirror
Attention PGP Users: New Vulnerabilities Require You To Take Action Now (eff.org)
A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. From a report: EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages. The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific).
In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication. Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email. Further reading: People Are Freaking Out That PGP Is 'Broken' -- But You Shouldn't Be Using It Anyway (Motherboard).
In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication. Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email. Further reading: People Are Freaking Out That PGP Is 'Broken' -- But You Shouldn't Be Using It Anyway (Motherboard).
Isn't this supposed to be a peer reviewed...
Yes... which is how we know about the problem and can address it. Open Source isn't magic.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
In other news, lock picks can be used to open up your model of door lock. We advise you to remove all door locks from your door until a lock pick proof lock can be engineered and installed.
From https://lists.gnupg.org/piperm... :
> 1. This paper is misnamed.
Indeed
> 2. This attack targets buggy email clients.
Exactly
> 3. The authors made a list of buggy email clients.
Well said.
The MUA should not allow *any* utilization of HTTP when rendering a HTML E-mail. Any form of doing that is a serious mistake. Not only because of what is reported here, but also because that way *that* use of HTTP will allow spammers to identify when you open the E-mail. They use that to know if your E-mail adress is still alive.
Serious MUAs don't do this without user consent. Most HTML components even have a explicit offline mode exactly for that reason. Meaning that they won't automatically go online and fetch things like the src url of an IMG.
Any MUA that does this without user consent is completely and utterly wrong. Especially in a security sensitive context. This is something most MUA developers know about and if not, should know.
Seriously - there’s no good reason for an email which is important enough to encrypt to include html or other “rich formatting” anyway. Just turn it all off.
#DeleteChrome