On 15-05-18 12:06, Andi via Users wrote:
Zitat von Martijn Brinkers via Users <users@lists.djigzo.com>:
Hi,
I have written a short blog article on EFAIL.
https://www.ciphermail.com/blog/efail-who-is-vulnerable-pgp-smime-or-your-mail-client.html
Kind regards,
Martijn Brinkers
On 14-05-18 14:40, CipherMail via Users wrote:
Hi,
This morning we were alerted about a new PGP vulnerability.
English:
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
Dutch:
https://tweakers.net/nieuws/138557/onderzoekers-stop-direct-met-gebruik-pgp-vanwege-lekken.html
What might be a secure fallback is to get a setting for ciphermail to
only decrypt valid signed e-mail and simply pass it along if there is no
signature or invalid signed. This could be a setting for the security
aware operator in the spirit of "better safe than sorry", no?
This will prevent ciphermail from using the decryption key in cases
where the user might get tricked to trust the sender otherwise.
That might work but I do not know how often email is encrypted and not
signed. Also in theory the attacker should be able to generate a signed
message (although I think this is not feasible in practice).
I have written a short article on how you can detect whether a decrypted
email was misused for EFAIL (see other email to mailing list).
Kind regards,
Martijn Brinkers
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.
https://www.ciphermail.com
Twitter: http://twitter.com/CipherMail
_______________________________________________
Users mailing list
Users@lists.djigzo.com
https://lists.djigzo.com/lists/listinfo/users
