• Critical PGP Email Encryption Security Flaw

    Author
    Topic
    #192185

    Users Warned of Critical PGP Email Encryption Security Flaw
    By Catalin Cimpanu | May 14, 2018

     
    A team of nine academics is warning the world about critical vulnerabilities in the PGP and S/MIME email encryption tools.

    The flaws, if exploited, allow an attacker to decrypt sent or received messages, according to the researcher team.

    Users are advised to disable email encryption to avoid any attackers from recovering past encrypted emails after the paper’s publication…
    Users in dire need of using encryption to protect their communications channels were advised to use an instant messaging client that supports end-to-end encryption, the EFF recommended.

     
    Read the full article here, which includes links to EFF’s published tutorials on disabling PGP and related plugins.

     

     
    Announcement from Electronic Frontier Foundation:
    Attention PGP Users: New Vulnerabilities Require You To Take Action Now
    May 13, 2018

    The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

    3 users thanked author for this post.
    Viewing 2 reply threads
    Author
    Replies
    • #192189

      Also, from ArsTechnica.com:

      Critical PGP and S/MIME bugs can reveal encrypted e-mails. Uninstall now

      The flaws, can expose e-mails sent in the past and “pose an immediate threat.”

      By Dan Goodin | May 14, 2018

       
      The Internet’s two most widely used methods for encrypting e-mail–PGP and S/Mime–are vulnerable to hacks that can reveal the plaintext of encrypted messages, a researcher warned late Sunday night. He went on to say there are no reliable fixes and to advise anyone who uses either encryption standard for sensitive communications to remove them immediately from e-mail clients.

      … referred those affected to EFF instructions for disabling plug-ins in Thunderbird, macOS Mail, and Outlook. The instructions say only to “disable PGP integration in e-mail clients.” Interestingly, there’s no advice to remove PGP apps such as Gpg4win, GNU Privacy Guard. Once the plugin tools are removed from the Thunderbird, Mail or Outlook, the EFF posts said, “your emails will not be automatically decrypted.” On Twitter, EFF officials went on to say: “do not decrypt encrypted PGP messages that you receive using your email client.”

      Given the stature of the researchers and the confirmation from EFF, it’s worth heeding the advice to disable PGP and S/MIME in e-mail clients while waiting for more details to be released Monday night. Ars will publish many more details when they are publicly available.

       
      Read the full article here

      2 users thanked author for this post.
    • #192423

      OpenPGP, S/MIME Mail Client Vulnerabilities
      https://www.us-cert.gov/ncas/current-activity/2018/05/14/OpenPGP-SMIME-Mail-Client-Vulnerabilities

      Original release date: May 14, 2018

       
      The CERT Coordination Center (CERT/CC) has released information on email client vulnerabilities that can reveal plaintext versions of OpenPGP- and S/MIME-encrypted emails. A remote attacker could exploit these vulnerabilities to obtain sensitive information.

      NCCIC encourages users and administrators to review CERT/CC’s Vulnerability Note VU #122919, apply the necessary mitigations, and refer to software vendors for appropriate patches, when available.

       
      Mail Client Vulnerabilities List

    • #192511

      Does this mean that an ordinary gmail account that is accessed through the mail.google.com website without using anything like Thunderbird, Outlook, etc. is now suddenly at risk?

      That seems a bit hard to believe, or maybe the question is a stupid one, or maybemillions of accounts are are now potentially compromised. It seems like a lot of major players – including Google, Microsoft, and Apple haven’t made any statements, according to ‘mail client vulnerabilities list’ link above.

      • #192534

        If you are using PGP encryption for gmail (probably a browser extension), you should heed the warnings; otherwise, it shouldn’t be a worry.

         
        Another article on the vulnerability, now referred to as Efail, from @martinbrinkmann:
        OpenPGP and S/Mime vulnerability EFAIL discovered
        by Martin Brinkmann | May 14, 2018

        EFAIL is the name of a new set of vulnerabilities that allow attackers to exploit issues in OpenPGP and S/Mime to gain access to encrypted messages.

        EFAIL requires that the attacker managed to gain access to encrypted emails and that the target runs client software that is vulnerable to one of the two available attack types.

        Read the full article here

        3 users thanked author for this post.
        • #192540

          If I am using PGP, it’s without my knowledge. I’m just using gmail “straight out of the box” so to speak. No one I’ve ever sent an email to has ever had to decrypt anything and I’ve never had to decrypt anything from anyone else, so I’m assuming I really don’t have/use PGP.

          It’s starting to seem sometimes that everyone needs a degree in computer science to really understand what their computers are doing.

          1 user thanked author for this post.
    Viewing 2 reply threads
    Reply To: Critical PGP Email Encryption Security Flaw

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: