Welcome to WebmasterWorld Guest from 54.92.164.184

Forum Moderators: open

Vulnerability Warning Affecting PGP and S/MIME

"immediately disable and/or uninstall tools..."

     
1:58 pm on May 14, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25560
votes: 756


PGP and S/MIME vulnerability could mean email content is exposed. A paper is being published on Tuesday explaining details, and early notification today helps to reduce the short term risk.

The warning indicates users should stop using these tools and use an alternative until suitable solutions are found.


is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

Velnerability Warning Affecting PGP and S/MIME [eff.org]
9:37 am on May 15, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12597
votes: 844


So use GPG instead? Just curious. I'm not encrypting email myself.
3:02 am on May 16, 2018 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 10, 2004
posts: 448
votes: 40


Per the linked article, it includes GPG.
3:15 am on May 16, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12597
votes: 844


All I saw was the warning to disable PGP plugins if you use Apple Mail with GPGTools and Outlook with Gpg4win. I use neither, but have worked in the past with GPG as a stand alone encryption tool with mail servers.

So still wondering if the vulnerability found in Symantec's propriety PGP affects the open source GPG. They're not the same.

It's highly likely both are affected, but as I said above, just curious (thinking about contacting a couple people.)
3:31 pm on May 16, 2018 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 10, 2004
posts: 448
votes: 40


I use Enigmail in Thunderbird, and it requires GPG to be installed.
5:36 am on May 22, 2018 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts: 15114
votes: 155


Turns out this wasn't such a big deal for PGP itself. It was more of an implementation issue by the e-mail clients and the plug-ins according to the GunPG people [lists.gnupg.org...]
The countermeasure Werner mentions is called a Modification Detection
Code, or MDC. It's been a standard part of GnuPG for almost eighteen
years. For almost all that time, any message which does not have an MDC
attached has caused GnuPG to throw up big, clear, and obvious warning
messages.

Of course the mail client and plug-in vendors are now asking why such a longstanding, well known issue wasn't addressed in GnuPG itself...

S/MIME on the other hand is turning out to be a big issue.