unspecified vulnerability in GPG

[chan] privacy
May 14 11:34 [raw]

All, in case you missed the announcement, have a look here: https://twitter.com/seecurity/status/995906576170053633 Until further announcements, it's safest to turn off any automatic PGP processing on your systems.

May 14 12:20 [raw]

Whitepaper: https://efail.de/efail-attack-paper.pdf Luckily, since the remote code exploit in PyBitmessage I hardened my systems, so I'm not affected: - my email client runs in firejail with a firewall that only allows to connect to my mail server and pgp.net keyservers, and doesn't have access to the rest of the filesystem like configuration, documents and source code. I have to copy&paste if I want to follow a link, but it's just a small inconvenience - converting from HTML to plaintext is done offline - SMTP/IMAP passwords are encrypted using PGP, so are only unencrypted in memory No more exfiltration. Peter Surda Bitmessage core developer

[chan] privacy
May 14 23:26 [raw]

As mentioned elsewhere this is FUD. Only applies to clients which are capable of loading HTML (and thereby XSS). Seems stupid to ban all PGP when you can just use Text-Only mode as is the case in Engimail and others already for years. Re-Cap from some devs: https://twitter.com/robertjhansen https://twitter.com/pEpFoundation/status/995959756090200065

May 14 23:26 [raw]

I haven't read the paper thoroughly, but they do mention possible attack vectors through email headers as well, which do not depend on HTML. Peter Surda Bitmessage core developer

May 15 05:34 [raw]

Which means that the attack is on mail clients and less so on GPG/PGP. Everything I've read thus far seems to implicate everything except the decryption process itself.

May 15 09:10 [raw]

Again I haven't read it thoroughly but it looks like the second component of the attack is a malleability vulnerability in some encryption algorithms (including those used by PGP). Combining these two is what broadens the scope of the problem. Peter Surda Bitmessage core developer

May 15 14:40 [raw]

Fortunately, there's a response from GnuPG: https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html Even GnuPG is saying it's overplayed. > 1. This paper is misnamed. > 2. This attack targets buggy email clients. > 3. The authors made a list of buggy email clients. Then they go on about issues with CFB, etc, and how MDC comes in to play.

[chan3] privacy
May 16 04:08 [raw]

It's very old bug(98), and if you have too old GnuPG or mail client, you can see some warning about "broke" message.

[chan] privacy

Subject Last Count
OTR interception May 21 09:00 34
yyy May 19 07:48 1
Introduction to Blockchain Analysis, Part I May 19 07:24 2
2018 : Der junge Karl Marx -- youtube.com/watch?v=AbM76KUm4IM -- 2 hours "Le Jeune Karl Marx" May 17 20:24 1
Signal-App is complete shit May 17 19:35 5
bitmessage tor hidden service May 17 10:16 2
unspecified vulnerability in GPG May 16 04:08 8
Cloudflare rant May 14 21:54 1
I'm sorry May 14 09:55 1
Good jokes - Belong to the channel [chan] Good Jokes BM-2cXELwioyGKqWMB3EfMBkrrTKzkP6xRaBG May 13 06:40 1
Good jokes May 13 05:00 9
Spy agency NSA triples collection of U.S. phone records: official report May 10 23:02 8
Digital Photocopiers Loaded With Secrets May 9 07:53 2
Warning for New Bitmessage Users May 7 22:28 1
not bullshit hacker spam May 7 13:33 1
SANDRA GOMEZ May 7 08:33 10
Email gateway May 5 00:28 10
hello Apr 30 00:32 4
i c u Apr 28 20:32 6
CloudFlare, We Have A Problem Apr 27 06:53 4
The Fake Truth Movement (Shills) Exposed Apr 26 02:45 3
Disconnect your Windows from NSA Apr 25 22:52 1
Ex-Facebook Executive: “You Don’t Realize It But You Are Being Programmed” Apr 25 07:53 3
So I was messing around with the Danwin webchat today.. Apr 24 18:46 1
Dread forums compromised? Apr 24 16:12 3
DNM subreddits banned, mods suspended Apr 24 00:26 1