recentpopularlog in

bwiese : efail   2

In Apple Mail, There’s No Protecting PGP-Encrypted Messages
In a nutshell, the EFAIL attack works like this: First, the attacker needs a copy of a message that’s encrypted to your public key. They could get this by hacking your email account, hacking your email server, compelling your email provider to hand it over with a warrant, intercepting it while spying on the internet, or other ways. PGP was specifically designed to protect against this — the promise of PGP is that even attackers with copies of your encrypted messages can’t decrypt them, only you can. When you receive an email that’s encrypted to your public key, your email client automatically uses your secret key to decrypt it so that you can read it. The EFAIL researchers discovered that they could craft a special email that secretly includes a stolen encrypted message within it, and then send it to you. When you receive the malicious email, your email client uses your secret key to automatically decrypt the pilfered message within the malicious email, and then sends a decrypted copy of the stolen message back to the attacker — for example, through a web request to load an image into the email.
efail  encryption  pgp  gpg  email  cybersecurity 
june 2018 by bwiese
New PGP Encryption Exploits Are Being Discovered Almost Every Other Day
Gizmodo was alerted to flaws discovered as recently as Wednesday that currently impact multiple PGP implementations, including Enigmail (Thunderbird) and GPGTools (Apple Mail)—the technical details of which are withheld here while the appropriate developers are contacted and given time to address them.

“It wasn’t a case of having to write software to do this. You could literally just cut and paste what they said in the paper and use it. The video of how easy it was to use, that was the thing that clinched it for me—sitting and watching a video of someone just clicking a few buttons and being able to exfiltrate data.”

“It’s sometimes better to [temporarily] disable encryption (or decrypt in the terminal) than to have your whole past communication at stake.”
pgp  gpg  cybersecurity  crypto  encryption  efail  vulnerability 
june 2018 by bwiese

Copy this bookmark:





to read