Re: [Djigzo users] PGP New Vulnerabilities
On 15-05-18 12:06, Andi via Users wrote: Zitat von Martijn Brinkers via Users : Hi, I have written a short blog article on EFAIL. https://www.ciphermail.com/blog/efail-who-is-vulnerable-pgp-smime-or-your-mail-client.html Kind regards, Martijn Brinkers On 14-05-18 14:40, CipherMail via Users wrote: Hi, This morning we were alerted about a new PGP vulnerability. English: https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now Dutch: https://tweakers.net/nieuws/138557/onderzoekers-stop-direct-met-gebruik-pgp-vanwege-lekken.html What might be a secure fallback is to get a setting for ciphermail to only decrypt valid signed e-mail and simply pass it along if there is no signature or invalid signed. This could be a setting for the security aware operator in the spirit of "better safe than sorry", no? This will prevent ciphermail from using the decryption key in cases where the user might get tricked to trust the sender otherwise. That might work but I do not know how often email is encrypted and not signed. Also in theory the attacker should be able to generate a signed message (although I think this is not feasible in practice). I have written a short article on how you can detect whether a decrypted email was misused for EFAIL (see other email to mailing list). Kind regards, Martijn Brinkers -- CipherMail email encryption Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull. https://www.ciphermail.com Twitter: http://twitter.com/CipherMail ___ Users mailing list Users@lists.djigzo.com https://lists.djigzo.com/lists/listinfo/users
Re: [Djigzo users] PGP New Vulnerabilities
Zitat von Martijn Brinkers via Users : Hi, I have written a short blog article on EFAIL. https://www.ciphermail.com/blog/efail-who-is-vulnerable-pgp-smime-or-your-mail-client.html Kind regards, Martijn Brinkers On 14-05-18 14:40, CipherMail via Users wrote: Hi, This morning we were alerted about a new PGP vulnerability. English: https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now Dutch: https://tweakers.net/nieuws/138557/onderzoekers-stop-direct-met-gebruik-pgp-vanwege-lekken.html What might be a secure fallback is to get a setting for ciphermail to only decrypt valid signed e-mail and simply pass it along if there is no signature or invalid signed. This could be a setting for the security aware operator in the spirit of "better safe than sorry", no? This will prevent ciphermail from using the decryption key in cases where the user might get tricked to trust the sender otherwise. Regards Andreas ___ Users mailing list Users@lists.djigzo.com https://lists.djigzo.com/lists/listinfo/users
Re: [Djigzo users] PGP New Vulnerabilities
Hi, I have written a short blog article on EFAIL. https://www.ciphermail.com/blog/efail-who-is-vulnerable-pgp-smime-or-your-mail-client.html Kind regards, Martijn Brinkers On 14-05-18 14:40, CipherMail via Users wrote: Hi, This morning we were alerted about a new PGP vulnerability. English: https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now Dutch: https://tweakers.net/nieuws/138557/onderzoekers-stop-direct-met-gebruik-pgp-vanwege-lekken.html -- CipherMail email encryption Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull. https://www.ciphermail.com Twitter: http://twitter.com/CipherMail ___ Users mailing list Users@lists.djigzo.com https://lists.djigzo.com/lists/listinfo/users
[Djigzo users] PGP New Vulnerabilities
Hi, This morning we were alerted about a new PGP vulnerability. English: https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now Dutch: https://tweakers.net/nieuws/138557/onderzoekers-stop-direct-met-gebruik-pgp-vanwege-lekken.html -- With kind regards, Arie PGP: https://mail.koppelaar.org/arie.asc ___ Users mailing list Users@lists.djigzo.com https://lists.djigzo.com/lists/listinfo/users