Welcome to WebmasterWorld Guest from 3.227.2.109

Forum Moderators: open

Message Too Old, No Replies

Vulnerability Warning Affecting PGP and S/MIME

"immediately disable and/or uninstall tools..."

     
1:58 pm on May 14, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:26375
votes: 1035


PGP and S/MIME vulnerability could mean email content is exposed. A paper is being published on Tuesday explaining details, and early notification today helps to reduce the short term risk.

The warning indicates users should stop using these tools and use an alternative until suitable solutions are found.


is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

Velnerability Warning Affecting PGP and S/MIME [eff.org]
9:37 am on May 15, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


So use GPG instead? Just curious. I'm not encrypting email myself.
3:02 am on May 16, 2018 (gmt 0)

Preferred Member from US 

10+ Year Member

joined:Mar 10, 2004
posts: 471
votes: 51


Per the linked article, it includes GPG.
3:15 am on May 16, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


All I saw was the warning to disable PGP plugins if you use Apple Mail with GPGTools and Outlook with Gpg4win. I use neither, but have worked in the past with GPG as a stand alone encryption tool with mail servers.

So still wondering if the vulnerability found in Symantec's propriety PGP affects the open source GPG. They're not the same.

It's highly likely both are affected, but as I said above, just curious (thinking about contacting a couple people.)
3:31 pm on May 16, 2018 (gmt 0)

Preferred Member from US 

10+ Year Member

joined:Mar 10, 2004
posts: 471
votes: 51


I use Enigmail in Thunderbird, and it requires GPG to be installed.
5:36 am on May 22, 2018 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts: 15177
votes: 176


Turns out this wasn't such a big deal for PGP itself. It was more of an implementation issue by the e-mail clients and the plug-ins according to the GunPG people [lists.gnupg.org...]
The countermeasure Werner mentions is called a Modification Detection
Code, or MDC. It's been a standard part of GnuPG for almost eighteen
years. For almost all that time, any message which does not have an MDC
attached has caused GnuPG to throw up big, clear, and obvious warning
messages.

Of course the mail client and plug-in vendors are now asking why such a longstanding, well known issue wasn't addressed in GnuPG itself...

S/MIME on the other hand is turning out to be a big issue.