• Critical PGP Email Encryption Security Flaw

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » Critical PGP Email Encryption Security Flaw

    Tags:

    Author
    Topic
    Kirsty
    Manager
    May 14, 2018 at 2:44 am #192185
    Options

    Users Warned of Critical PGP Email Encryption Security Flaw
    By Catalin Cimpanu | May 14, 2018

     
    A team of nine academics is warning the world about critical vulnerabilities in the PGP and S/MIME email encryption tools.

    The flaws, if exploited, allow an attacker to decrypt sent or received messages, according to the researcher team.

    Users are advised to disable email encryption to avoid any attackers from recovering past encrypted emails after the paper’s publication…
    Users in dire need of using encryption to protect their communications channels were advised to use an instant messaging client that supports end-to-end encryption, the EFF recommended.

     
    Read the full article here, which includes links to EFF’s published tutorials on disabling PGP and related plugins.

     

     
    Announcement from Electronic Frontier Foundation:
    Attention PGP Users: New Vulnerabilities Require You To Take Action Now
    May 13, 2018

    The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

    3 users thanked author for this post.
    AlexEiffel, Elly, woody
    Reply | Quote
    Viewing 2 reply threads
    Author
    Replies
    • Kirsty
      Manager
      May 14, 2018 at 2:53 am #192189
      Options

      Also, from ArsTechnica.com:

      Critical PGP and S/MIME bugs can reveal encrypted e-mails. Uninstall now
      The flaws, can expose e-mails sent in the past and “pose an immediate threat.”

      By Dan Goodin | May 14, 2018

       
      The Internet’s two most widely used methods for encrypting e-mail–PGP and S/Mime–are vulnerable to hacks that can reveal the plaintext of encrypted messages, a researcher warned late Sunday night. He went on to say there are no reliable fixes and to advise anyone who uses either encryption standard for sensitive communications to remove them immediately from e-mail clients.

      … referred those affected to EFF instructions for disabling plug-ins in Thunderbird, macOS Mail, and Outlook. The instructions say only to “disable PGP integration in e-mail clients.” Interestingly, there’s no advice to remove PGP apps such as Gpg4win, GNU Privacy Guard. Once the plugin tools are removed from the Thunderbird, Mail or Outlook, the EFF posts said, “your emails will not be automatically decrypted.” On Twitter, EFF officials went on to say: “do not decrypt encrypted PGP messages that you receive using your email client.”

      Given the stature of the researchers and the confirmation from EFF, it’s worth heeding the advice to disable PGP and S/MIME in e-mail clients while waiting for more details to be released Monday night. Ars will publish many more details when they are publicly available.

       
      Read the full article here

      2 users thanked author for this post.
      Elly, woody
      Reply | Quote
    • Kirsty
      Manager
      May 15, 2018 at 12:24 am #192423
      Options

      OpenPGP, S/MIME Mail Client Vulnerabilities
      https://www.us-cert.gov/ncas/current-activity/2018/05/14/OpenPGP-SMIME-Mail-Client-Vulnerabilities

      Original release date: May 14, 2018

       
      The CERT Coordination Center (CERT/CC) has released information on email client vulnerabilities that can reveal plaintext versions of OpenPGP- and S/MIME-encrypted emails. A remote attacker could exploit these vulnerabilities to obtain sensitive information.

      NCCIC encourages users and administrators to review CERT/CC’s Vulnerability Note VU #122919, apply the necessary mitigations, and refer to software vendors for appropriate patches, when available.

       
      Mail Client Vulnerabilities List

      Reply | Quote
    • DrBonzo
      AskWoody Plus
      May 15, 2018 at 12:28 pm #192511
      Options

      Does this mean that an ordinary gmail account that is accessed through the mail.google.com website without using anything like Thunderbird, Outlook, etc. is now suddenly at risk?

      That seems a bit hard to believe, or maybe the question is a stupid one, or maybemillions of accounts are are now potentially compromised. It seems like a lot of major players – including Google, Microsoft, and Apple haven’t made any statements, according to ‘mail client vulnerabilities list’ link above.

      Reply | Quote
      • Kirsty
        Manager
        May 15, 2018 at 2:00 pm #192534
        Options

        If you are using PGP encryption for gmail (probably a browser extension), you should heed the warnings; otherwise, it shouldn’t be a worry.

         
        Another article on the vulnerability, now referred to as Efail, from @martinbrinkmann:
        OpenPGP and S/Mime vulnerability EFAIL discovered
        by Martin Brinkmann | May 14, 2018

        EFAIL is the name of a new set of vulnerabilities that allow attackers to exploit issues in OpenPGP and S/Mime to gain access to encrypted messages.

        EFAIL requires that the attacker managed to gain access to encrypted emails and that the target runs client software that is vulnerable to one of the two available attack types.

        Read the full article here

        3 users thanked author for this post.
        Morty, jburk07, DrBonzo
        Reply | Quote
        • DrBonzo
          AskWoody Plus
          May 15, 2018 at 2:37 pm #192540
          Options

          If I am using PGP, it’s without my knowledge. I’m just using gmail “straight out of the box” so to speak. No one I’ve ever sent an email to has ever had to decrypt anything and I’ve never had to decrypt anything from anyone else, so I’m assuming I really don’t have/use PGP.

          It’s starting to seem sometimes that everyone needs a degree in computer science to really understand what their computers are doing.

          1 user thanked author for this post.
          jburk07
          Reply | Quote
    Viewing 2 reply threads
    Reply To: Critical PGP Email Encryption Security Flaw

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the AskWoody Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • How to use the Forums
  • All Forums

    • Recent Topics

    March 2023
    S M T W T F S
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.