Author Topic: PGP email flaw  (Read 8 times)

Offline ssfc72

  • Posting Member
  • Hero Member
  • *
  • Posts: 580
  • Karma: +0/-0
    • View Profile
PGP email flaw
« on: May 14, 2018, 08:16:07 am »
The BBC article is here:  http://www.bbc.com/news/technology-44107570

See also:  https://efail.de

Seems to be tied to using HTML links in an email so it recommends turning off HTML, in your email program.
« Last Edit: May 14, 2018, 08:22:29 am by ssfc72 »
Mint 18.3 on an HP Pavilion X360, 11" k120ca notebook
Cellphone ZTE Axon 7 Mini, PCMobile pay as you go

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 1065
  • Karma: +0/-0
    • View Profile
Re: PGP email flaw
« Reply #1 on: May 14, 2018, 09:16:32 am »
Thanks, Bill for sharing this.

Of particular interest, I noticed this in the FAQ at the second link:

Quote
Can you read my emails? No. The EFAIL attacks require the attacker to have access to your S/MIME or PGP encrypted emails. You are thus only affected if an attacker already has access to your emails.


They also suggest the best way to avoid the potential attack vector is to not decrypt PGP-encrypted emails in the client. Instead, copy the ciphertext to a separate PGP program and decrypt it there, but the other short term mitigation is what you suggest, turning off HTML.

Also note this answer to a question where some email clients are mentioned.

Quote
Is my email client affected?
Our analysis shows that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients. While it is necessary to change the OpenPGP and S/MIME standards to reliably fix these vulnerabilities, Apple Mail, iOS Mail and Mozilla Thunderbird had even more severe implementation flaws allowing direct exfiltration of the plaintext that is technically very easy to execute.


Also interesting that GnuPG in the BBC article says that the EFF has overblown the issue, that's it's not an issue with S/MIME or PGP but the way various clients handle PGP decryption errors incorrectly. Of course this conflicts with what the efail team is reporting. We'll probably need more time to get the full story. It's not unheard of for firms to exaggerate vulnerabilities to promote their abilities.
Primary: Desktop Tower with LM 18.3 Cinnamon on i5-3470 3.2 Ghz with 12 GB RAM, 64 GB SSD for OSes, 4 TB RAID-10 array for programs/data

Secondary/Test: Toshiba Satellite Ultrabook Z830-00K w/ Linux Du Jour, (i3-2367M 1.4 GHz, 4GB DDR3, 128GB SDD)