May 14 11:34 [raw]
All, in case you missed the announcement, have a look here: https://twitter.com/seecurity/status/995906576170053633 Until further announcements, it's safest to turn off any automatic PGP processing on your systems.
May 14 12:20 [raw]
Whitepaper: https://efail.de/efail-attack-paper.pdf Luckily, since the remote code exploit in PyBitmessage I hardened my systems, so I'm not affected: - my email client runs in firejail with a firewall that only allows to connect to my mail server and pgp.net keyservers, and doesn't have access to the rest of the filesystem like configuration, documents and source code. I have to copy&paste if I want to follow a link, but it's just a small inconvenience - converting from HTML to plaintext is done offline - SMTP/IMAP passwords are encrypted using PGP, so are only unencrypted in memory No more exfiltration. Peter Surda Bitmessage core developer
May 14 23:26 [raw]
As mentioned elsewhere this is FUD. Only applies to clients which are capable of loading HTML (and thereby XSS). Seems stupid to ban all PGP when you can just use Text-Only mode as is the case in Engimail and others already for years. Re-Cap from some devs: https://twitter.com/robertjhansen https://twitter.com/pEpFoundation/status/995959756090200065
May 14 23:26 [raw]
I haven't read the paper thoroughly, but they do mention possible attack vectors through email headers as well, which do not depend on HTML. Peter Surda Bitmessage core developer
May 15 05:34 [raw]
Which means that the attack is on mail clients and less so on GPG/PGP. Everything I've read thus far seems to implicate everything except the decryption process itself.
May 15 09:10 [raw]
Again I haven't read it thoroughly but it looks like the second component of the attack is a malleability vulnerability in some encryption algorithms (including those used by PGP). Combining these two is what broadens the scope of the problem. Peter Surda Bitmessage core developer
May 15 14:40 [raw]
Fortunately, there's a response from GnuPG: https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html Even GnuPG is saying it's overplayed. > 1. This paper is misnamed. > 2. This attack targets buggy email clients. > 3. The authors made a list of buggy email clients. Then they go on about issues with CFB, etc, and how MDC comes in to play.
May 16 04:08 [raw]
It's very old bug(98), and if you have too old GnuPG or mail client, you can see some warning about "broke" message.
|KASPERSKY INTERNET SECURITY 2019 - 366 DAYS (WINDOWS, MAC, ANDROID) ACTIVATION CODES SALE.||Dec 3 08:34||2|
|Cannabis grower looking into privacy tools||Nov 30 05:00||1|
|Nov 20 17:08||1|