May 14 11:34 [raw]
All, in case you missed the announcement, have a look here: https://twitter.com/seecurity/status/995906576170053633 Until further announcements, it's safest to turn off any automatic PGP processing on your systems.
May 14 12:20 [raw]
Whitepaper: https://efail.de/efail-attack-paper.pdf Luckily, since the remote code exploit in PyBitmessage I hardened my systems, so I'm not affected: - my email client runs in firejail with a firewall that only allows to connect to my mail server and pgp.net keyservers, and doesn't have access to the rest of the filesystem like configuration, documents and source code. I have to copy&paste if I want to follow a link, but it's just a small inconvenience - converting from HTML to plaintext is done offline - SMTP/IMAP passwords are encrypted using PGP, so are only unencrypted in memory No more exfiltration. Peter Surda Bitmessage core developer
May 14 23:26 [raw]
As mentioned elsewhere this is FUD. Only applies to clients which are capable of loading HTML (and thereby XSS). Seems stupid to ban all PGP when you can just use Text-Only mode as is the case in Engimail and others already for years. Re-Cap from some devs: https://twitter.com/robertjhansen https://twitter.com/pEpFoundation/status/995959756090200065
May 14 23:26 [raw]
I haven't read the paper thoroughly, but they do mention possible attack vectors through email headers as well, which do not depend on HTML. Peter Surda Bitmessage core developer
May 15 05:34 [raw]
Which means that the attack is on mail clients and less so on GPG/PGP. Everything I've read thus far seems to implicate everything except the decryption process itself.
May 15 09:10 [raw]
Again I haven't read it thoroughly but it looks like the second component of the attack is a malleability vulnerability in some encryption algorithms (including those used by PGP). Combining these two is what broadens the scope of the problem. Peter Surda Bitmessage core developer
May 15 14:40 [raw]
Fortunately, there's a response from GnuPG: https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html Even GnuPG is saying it's overplayed. > 1. This paper is misnamed. > 2. This attack targets buggy email clients. > 3. The authors made a list of buggy email clients. Then they go on about issues with CFB, etc, and how MDC comes in to play.
May 16 04:08 [raw]
It's very old bug(98), and if you have too old GnuPG or mail client, you can see some warning about "broke" message.
|Tails:||Jul 18 22:02||5|
|BitText H67jQHynwu: privacy software||Jul 17 21:52||4|
|how to stay completely anonymous?||Jul 16 17:44||5|
|circus||Jul 16 17:15||5|
|BEAMSTART||Jul 16 17:12||1|
|BitText List||Jul 15 01:10||1|
|peter_surda_privkeys||Jul 13 21:26||1|
|Jacob Appelbaum: Wikileaks insider, military contractor, Tor developer||Jul 2 01:51||5|
|Tor Usage Paints a Target on Your Head||Jul 1 13:56||13|
|DARKNET DIRECTORY ASSISTANCE||Jun 30 22:29||1|
|BitText LIST||Jun 26 06:23||1|
|Linux firewall QA||Jun 26 06:20||1|
|KASPERSKY INTERNET SECURITY 2013-2019 - 366 DAYS FOR (WINDOWS, MAC, ANDROID) ACTIVATION CODES SALE.||Jun 25 07:24||2|
|Why is Tor not enough for Deep Web Anonymity?||Jun 23 18:47||1|
|How to Legally Accept a Drug Package as Per Police and Prosecutors||Jun 23 18:47||1|
|Reminder||Jun 23 11:52||2|
|Hello||Jun 23 02:57||3|