Author Topic: PGP email flaw  (Read 1151 times)

0 Members and 1 Guest are viewing this topic.

Offline ssfc72

  • Posting Member
  • Hero Member
  • *
  • Posts: 1622
PGP email flaw
« on: May 14, 2018, 08:16:07 am »
The BBC article is here:

See also:

Seems to be tied to using HTML links in an email so it recommends turning off HTML, in your email program.
« Last Edit: May 14, 2018, 08:22:29 am by ssfc72 »
Mint 19.1 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MX Linux)
Cellphone ZTE Axon 7 Mini, PCMobile pay as you go

Offline Jason Wallwork

  • President
  • Administrator
  • Hero Member
  • *****
  • Posts: 3336
Re: PGP email flaw
« Reply #1 on: May 14, 2018, 09:16:32 am »
Thanks, Bill for sharing this.

Of particular interest, I noticed this in the FAQ at the second link:

Can you read my emails? No. The EFAIL attacks require the attacker to have access to your S/MIME or PGP encrypted emails. You are thus only affected if an attacker already has access to your emails.

They also suggest the best way to avoid the potential attack vector is to not decrypt PGP-encrypted emails in the client. Instead, copy the ciphertext to a separate PGP program and decrypt it there, but the other short term mitigation is what you suggest, turning off HTML.

Also note this answer to a question where some email clients are mentioned.

Is my email client affected?
Our analysis shows that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients. While it is necessary to change the OpenPGP and S/MIME standards to reliably fix these vulnerabilities, Apple Mail, iOS Mail and Mozilla Thunderbird had even more severe implementation flaws allowing direct exfiltration of the plaintext that is technically very easy to execute.

Also interesting that GnuPG in the BBC article says that the EFF has overblown the issue, that's it's not an issue with S/MIME or PGP but the way various clients handle PGP decryption errors incorrectly. Of course this conflicts with what the efail team is reporting. We'll probably need more time to get the full story. It's not unheard of for firms to exaggerate vulnerabilities to promote their abilities.
"With all its sham, drudgery, and broken dreams, it is still a beautiful world." - Max Ehrmann, Desiderata