What's an email?: PGP/OpenPGP and S/MIME Encrypted Mail Exposed by Vulnerability
0 replies, posted
https://www.forbes.com/sites/thomasbrewster/2018/05/14/pgp-encrypted-email-vulnerability-exposes-private-messages/#4ad034463e2a
The warning came from Sebastian Schinzel, lead of the IT security lab at the Münster University of Applied Sciences, who noted attacks
exploiting the vulnerability "might reveal the plaintext of encrypted emails, including encrypted emails sent in the past." Though he
isn't revealing the full details until Tuesday May 15, the findings have spooked security conscious folk.
"Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email," the EFF wrote in a blog post.
The EFF has also offered guidance on how to remove plug-ins associated with PGP email, which users can find in the blog. Those plug-ins include ones for clients Apple Mail, Thunderbird and Outlook. It's currently unclear if web services like Protonmail, which use a form
of PGP, are affected.
They figured out mail clients which don't
properly check for decryption errors and also follow links in HTML
mails. So the vulnerability is in the mail clients and not in the
protocols. In fact OpenPGP is immune if used correctly while S/MIME has
no deployed mitigation.
— GNU Privacy Guard (@gnupg) May 14, 2018
There's even a website explaining this, titled "eFail":
https://efail.de/
There are two different flavors of EFAIL attacks. First, the direct exfiltration attack abuses vulnerabilities in Apple Mail, iOS Mail
'and Mozilla Thunderbird to directly exfiltrate the plaintext of encrypted emails.
With a link to the full, technical 21 page paper
https://efail.de/efail-attack-paper.pdf
https://twitter.com/robertjhansen/status/995968743409938432
Well. This is one way to wake up in the morning
Sorry, you need to Log In to post a reply to this thread.
