Folks, I know this is probably going to have to wait 24 hours till the official release in order to see the details of the supposed break in PGP but EFF is telling those who use PGP and S/MIME to send secure emails are being advised to cease using and disable the tools with immediate effect following a major security scare. Can someone please explain what is actually broken, and if there is a current work around, or if we have to go all the way back to development to fix whatever the actual issue is. https://techcrunch.com/2018/05/14/researchers-warn-of-critical-flaw-affecting-pgp-and-s-mime/
Thanks
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Folks, I know this is probably going to have to wait 24 hours till the
official release in order to see the details of the supposed break in
PGP but EFF is telling those who use PGP and S/MIME to send secure
emails are being advised to cease using and disable the tools with
immediate effect following a major security scare. Can someone please
explain what is actually broken, and if there is a current work around,
or if we have to go all the way back to development to fix whatever the
actual issue is.
tl;dr -- don't panic, and especially don't overreact. There are two
different attacks outlined in the Efail paper. One targets OpenPGP
directly, and GnuPG has had mitigations against it for almost twenty
years. (Literally. Almost twenty years. No, I am not kidding.)
The other one targets buggy MIME parsing by email clients. Enigmail
previously had some susceptibility to it, but as of Enigmail 2.0 we've
closed up all the leaks on our side of things. There is still a small
bit of attack surface in Thunderbird. The code to fix that has been
checked into Thunderbird and will be part of the next Thunderbird release.
In the interim, if you want to make absolutely certain you're immune to
the attack, disable HTML email.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Folks, I know this is probably going to have to wait 24 hours till the official release in order to see the details of the supposed break in PGP but EFF is telling those who use PGP and S/MIME to send secure emails are being advised to cease using and disable the tools with immediate effect following a major security scare. Can someone please explain what is actually broken, and if there is a current work around, or if we have to go all the way back to development to fix whatever the actual issue is.
https://techcrunch.com/2018/05/14/researchers-warn-of-critical-flaw-affecting-pgp-and-s-mime/
Thanks
tl;dr -- don't panic, and especially don't overreact. There are two
different attacks outlined in the Efail paper. One targets OpenPGP
directly, and GnuPG has had mitigations against it for almost twenty
years. (Literally. Almost twenty years. No, I am not kidding.)
The other one targets buggy MIME parsing by email clients. Enigmail
previously had some susceptibility to it, but as of Enigmail 2.0 we've
closed up all the leaks on our side of things. There is still a small
bit of attack surface in Thunderbird. The code to fix that has been
checked into Thunderbird and will be part of the next Thunderbird release.
In the interim, if you want to make absolutely certain you're immune to
the attack, disable HTML email.