remaisunlp compartilhou

Interesting PGP warning: eff.org/deeplinks/2018/05/atte

Unpacking things a bit: the advice is to disable *automatic* decryption of *e-mail*.

This implies there is a way to exploit automatic e-mail decryption as an oracle that leaks information about your keys back to the attacker.

So there must be a side-channel back to the attacker. My guess is the channel is MDNs (read receipts) or exploiting HTML mail in some way.

If so, #Mailpile is not vulnerable. But I'm only guessing - time will tell.

remaisunlp compartilhou

@elbinario

Pues justamente hoy no es el mejor momento 😂

"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email".

eff.org/deeplinks/2018/05/atte

remaisunlp compartilhou
remaisunlp compartilhou

@paul

As it turn out, we can really keep calm.

Here we go: lists.gnupg.org/pipermail/gnup

Just continue your day and use PGP as usual with forced plaintext mails and signed + encrypted mails.

#PGP #GPG #SMIME

remaisunlp compartilhou

F*** EFF, i wont take'em seriously anymore... 😡 😡 😡

"They figured out mail clients which don't properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation."

twitter.com/gnupg/status/99593

remaisunlp compartilhou
remaisunlp compartilhou
> Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.
remaisunlp compartilhou
Urgent: Critical PGP and S/MIME bugs can reveal encrypted e-mails. Uninstall now https://gnusocial.net/url/1043120 #GPG #PGP
remaisunlp compartilhou
No llega esa info urgente sobre un importante fallo de seguridad y  privacidad en PGP/GPG , de un usuario de la sala(ceighlano) https://gnusocial.net/url/1043036 es recomendable seguir las indicaciones y desactivar los plugins de cifrado de correo y usar programas de cifrado end-to-end, hasta tener mas detalles.
Mastodon(te)

O masto.donte.com.br é uma instância moderada com um foco em usuários do Brasil, mas usuários de outros lugares (e outras línguas) são bem vindos. Discursos de ódio são proibidos. Usuários que não respeitem as regras serão silenciados ou suspensos, dependendo da severidade da violação.