recentpopularlog in

pgp

« earlier   
It has been a bad week for encrypted messaging and it’s only Wednesday | Ars Technica
Monday brought word of decade-old flaws that might reveal the contents of PGP- and S/MIME-encrypted emails. Some of the worst flaws resided in email clients such as Thunderbird and Apple Mail, and they offer a golden opportunity to attackers who have already intercepted previously sent messages. By embedding the intercepted ciphertext in invisible parts of a new message sent to a sender or receiver of the original email, attackers can force the client to leak the corresponding plaintext. Thunderbird and Mail have yet to be patched, although the Thunderbird flaw has been mitigated by an update published Wednesday in the Enigmail GPG plugin.
cybersecurity  encryption  pgp  signal  email  javascript  crypto 
yesterday by bwiese
EFAIL
The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.
...
There are two different flavors of EFAIL attacks. First, the direct exfiltration attack abuses vulnerabilities in Apple Mail, iOS Mail and Mozilla Thunderbird to directly exfiltrate the plaintext of encrypted emails. These vulnerabilities can be fixed in the respective email clients. The attack works like this. The attacker creates a new multipart email with three body parts as shown below. The first is an HTML body part essentially containing an HTML image tag. Note that the src attribute of that image tag is opened with quotes but not closed. The second body part contains the PGP or S/MIME ciphertext. The third is an HTML body part again that closes the src attribute of the first body part.
privacy  security  emacs  pgp  gpg 
4 days ago by some_hren
Attacks against GPG signed APT repositories - Packagecloud Blog

It is a common misconception that simply signing your packages and repository metadata with GPG is enough to create a secure APT repository. This is false. Many of the attacks outlined in the paper and this blog post are effective against GPG-signed APT repositories. GPG signing Debian packages themselves does nothing, as explained below. The easiest way to prevent the attacks covered below is to always serve your APT repository over TLS; no exceptions.


This is excellent research. My faith in GPG sigs on packages is well shaken.
apt  security  debian  packaging  gpg  pgp  packages  dpkg  apt-get  ops 
4 days ago by jm
Twitter
- Læste Bruce Schneiers nyhedsbrev om denne nyhed om og dvs en brist i brugen a…
efail  pgp  from twitter
5 days ago by kimelmose
If you use PGP, you should probably stop • NY Mag
Brian Feldman:
<p>If you use PGP encryption to protect your email, you might want to disable it for the time being. A team of European researchers have discovered vulnerabilities — they’re calling them “EFAIL” — which “might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.” In the meantime, the researchers and the Electronic Frontier Foundation are <a href="https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now">recommending</a> that users disable PGP plug-ins for popular email clients like Thunderbird and Apple Mail.

PGP (Pretty Good Privacy) is a popular encryption scheme in which a sender encrypts an email with the recipient’s public key, and the recipient decrypts it with their private key. Email client plug-ins can make this decryption process automatic, and an attacker can exploit that in concert with the way in which emails are rendered using HTML (similar to a web page).</p>


The advice of "just stop using PGP for email" is good enough. Doesn't matter whether there's a problem with it. Layering encryption on top of email is like giving a lawnmower a fridge – especially when these days there are so many other end-to-end encrypted communications systems. Email isn't encrypted, and just isn't going that way. Or, as Wendy Grossman <a href="http://www.pelicancrossing.net/netwars/2011/10/crypto_the_revenge.html">put it in 2011</a>:
<p>There are so many details you can get wrong to mess the whole thing up that if this stuff were a form of contraception, desperate parents would be giving babies away on street corners.</p>
pgp  vulnerability  hacking 
5 days ago by charlesarthur

Copy this bookmark:





to read