On 05/15/2018 02:14 AM, Mirimir wrote:
On 05/14/2018 06:05 PM, Marina Brown wrote:
On 05/14/2018 07:49 PM, Mirimir wrote:
On 05/14/2018 06:48 AM, grarpamp wrote:
https://efail.de/
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
https://efail.de/efail-attack-paper.pdf
https://twitter.com/matthew_d_green/status/995989254143606789
https://news.ycombinator.com/item?id=17064129
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/
The EFAIL attacks break PGP and S/MIME email encryption by coercing
clients into sending the full plaintext of the emails to the attacker.
In a nutshell, EFAIL abuses active content of HTML emails, for example
externally loaded images or styles, to exfiltrate plaintext through
requested URLs. To create these exfiltration channels, the attacker
first needs access to the encrypted emails, for example, by
eavesdropping on network traffic, compromising email accounts, email
servers, backup systems or client computers. The emails could even
have been collected years ago.
Thanks. That's the clearest explanation I've seen.
Remember the campaign against HTML email ? I do.
We were right.
--- Marina
Right, and its evil child, remote content.
I always disable HTML. And fetching of remote content.
And I have since the 90s. I got that from this list :)
It's funny that these exploits depend on both. And that some on HN put
it all on pgp/gpg, arguing that one can't expect users to know this
stuff. By default, Thunderbird does render HTML. But at least it doesn't
fetch remote content. So Thunderbird+Enigmail users should be safe.
Honestly i'm missing PINE and ELM right about now.
--- Marina
