• Welcome to Peterborough Linux User Group (Canada) Forum.
 

PGP email flaw

Started by ssfc72, May 14, 2018, 08:16:07 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

ssfc72

The BBC article is here:  http://www.bbc.com/news/technology-44107570

See also:  https://efail.de

Seems to be tied to using HTML links in an email so it recommends turning off HTML, in your email program.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

Thanks, Bill for sharing this.

Of particular interest, I noticed this in the FAQ at the second link:

QuoteCan you read my emails? No. The EFAIL attacks require the attacker to have access to your S/MIME or PGP encrypted emails. You are thus only affected if an attacker already has access to your emails.


They also suggest the best way to avoid the potential attack vector is to not decrypt PGP-encrypted emails in the client. Instead, copy the ciphertext to a separate PGP program and decrypt it there, but the other short term mitigation is what you suggest, turning off HTML.

Also note this answer to a question where some email clients are mentioned.

QuoteIs my email client affected?
Our analysis shows that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients. While it is necessary to change the OpenPGP and S/MIME standards to reliably fix these vulnerabilities, Apple Mail, iOS Mail and Mozilla Thunderbird had even more severe implementation flaws allowing direct exfiltration of the plaintext that is technically very easy to execute.


Also interesting that GnuPG in the BBC article says that the EFF has overblown the issue, that's it's not an issue with S/MIME or PGP but the way various clients handle PGP decryption errors incorrectly. Of course this conflicts with what the efail team is reporting. We'll probably need more time to get the full story. It's not unheard of for firms to exaggerate vulnerabilities to promote their abilities.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13