Discussion in 'Article Discussion' started by bit-tech, 14 May 2018.
Why uninstall it
Its the email client that is the issue, if using thunderbird its going to be fixed soon (the problem is not with PGP it's with the email client)
The problem is in the OpenPGP and S/MIME standards, which won't be fixed soon - but patches to workaround the problem will drop imminently.
Meanwhile: the article has been updated.
Full details of the vulnerabilities have now been released on the "efail" website. The vulnerabilities detailed use externally-loaded resources in HTML-format email to exfiltrate plaintext from encrypted emails. Immediate workarounds include disabling decryption in the email client and requiring manual decryption using an external utility - effectively following the EFF's recommendation to uninstall encrypted email add-ons to prevent automatic decryption and thus disclosure of plaintext - and disabling the rendering of HTML emails. Medium-term fixes will come in the form of patches, the researchers have promised, while the long-term solution will be to update the affected standards - OpenPGP, MIME, and S/MIME - to remove the risk altogether.
Bloody hell, one of the vulns is an unclosed tag attack?! That is "little bobby tables" level embarrassing.
To paraphrase Miyazaki, "HTML in email was a mistake".
The first thing i do with any email client is to disable HTML and/or only display in plain text, i guess there must be loads of reasons for HTML emails but they've always seemed to be on the wrong side of my risk/reward mentality.
Honestly, the problem is that SMTP is not designed to BE a secure communications platform. PGP is more secure than nothing, but operating on top of SMTP places limits on how secure it can actually be.
That has nothing to do with this issue
smtp / pop3 and so on is the communication method to deliver emails
Its the content and how client interacts with them is the issue (html in emails is Never a good idea)
Separate names with a comma.