1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Researchers warn of PGP/GPG email vulnerabilities

Discussion in 'Article Discussion' started by bit-tech, 14 May 2018.

  1. bit-tech

    bit-tech Supreme Overlord Staff Administrator

    Joined:
    12 Mar 2001
    Posts:
    988
    Likes Received:
    18
    Read more
     
  2. leexgx

    leexgx CPC hang out zone (i Fix pcs i do )

    Joined:
    28 Jun 2006
    Posts:
    1,320
    Likes Received:
    8
    Why uninstall it

    Its the email client that is the issue, if using thunderbird its going to be fixed soon (the problem is not with PGP it's with the email client)
     
  3. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    10,127
    Likes Received:
    615
    The problem is in the OpenPGP and S/MIME standards, which won't be fixed soon - but patches to workaround the problem will drop imminently.

    Meanwhile: the article has been updated.

    Full details of the vulnerabilities have now been released on the "efail" website. The vulnerabilities detailed use externally-loaded resources in HTML-format email to exfiltrate plaintext from encrypted emails. Immediate workarounds include disabling decryption in the email client and requiring manual decryption using an external utility - effectively following the EFF's recommendation to uninstall encrypted email add-ons to prevent automatic decryption and thus disclosure of plaintext - and disabling the rendering of HTML emails. Medium-term fixes will come in the form of patches, the researchers have promised, while the long-term solution will be to update the affected standards - OpenPGP, MIME, and S/MIME - to remove the risk altogether.
     
  4. edzieba

    edzieba Virtual Realist

    Joined:
    14 Jan 2009
    Posts:
    2,280
    Likes Received:
    100
    Bloody hell, one of the vulns is an unclosed tag attack?! That is "little bobby tables" level embarrassing.

    To paraphrase Miyazaki, "HTML in email was a mistake".
     
  5. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    8,231
    Likes Received:
    166
    The first thing i do with any email client is to disable HTML and/or only display in plain text, i guess there must be loads of reasons for HTML emails but they've always seemed to be on the wrong side of my risk/reward mentality.
     
  6. jb0

    jb0 Member

    Joined:
    8 Apr 2012
    Posts:
    255
    Likes Received:
    8
    Honestly, the problem is that SMTP is not designed to BE a secure communications platform. PGP is more secure than nothing, but operating on top of SMTP places limits on how secure it can actually be.
     
  7. leexgx

    leexgx CPC hang out zone (i Fix pcs i do )

    Joined:
    28 Jun 2006
    Posts:
    1,320
    Likes Received:
    8
    That has nothing to do with this issue

    smtp / pop3 and so on is the communication method to deliver emails

    Its the content and how client interacts with them is the issue (html in emails is Never a good idea)
     
Tags: Add Tags

Share This Page