<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, May 14, 2018 at 12:07 PM, Jack Harper <span dir="ltr"><<a href="mailto:harper@secureoutcomes.net" target="_blank">harper@secureoutcomes.net</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
At 12:48 AM 5/14/2018, James S. Tyre wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
...An important urgent notice from EFF regarding PGP and S/MIME communications. <a href="https://twitter.com/seecurity/status/995906638556155904" rel="noreferrer" target="_blank">https://twitter.com/seecurity/<wbr>status/995906638556155904</a> <a href="https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now" rel="noreferrer" target="_blank">https://www.eff.org/deeplinks/<wbr>2018/05/attention-pgp-users-ne<wbr>w-vulnerabilities-require-you-<wbr>take-action-now</a> Dear Colleagues, A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME....<br>
</blockquote>
<br>
<br>
Am I correct that the found PGP flaw appears to only affect enciphered e-mail traffic and not files that are enciphered by PGP but not mailed?<br>
<br>
I use PGP to protect sensitive files on my laptop when traveling etc.<br>
<br>
Thoughts?<br></blockquote><div><br>Thought or speculation... <br><br>One of of the Efail <a href="https://efail.de/">https://efail.de/</a> bugs and attacks involves previously harvested messages.<br><br>So yes, I think there is a risk if your sensitive files had been harvested. Perhaps someone could<br>craft a message that presents them as S/MIME attachments and trick you to act<br></div><div>on them. So one 'speculation is a TLA at a border or other opportunity might have </div><div>copies and send you a message via a friend from your contact list and ...<br><br>Enigma mail in ThunderBird does have an option to automatically decrypt files.<br>Most agents have auto download of "images" that might then be <br>previously harvested encrypted content. <br><br>I have shut off <span style="white-space:nowrap;color:rgb(0,0,0);font-family:Roboto,system-ui,sans-serif;font-size:13px">Mailvelope in Gmail as an unknown and and removing it for now.<br></span><br>In once case the advice is to remove/move all keys from the visibility <br>of your mail client. <br><br>The linux kernel mailing list may have the correct strategy ;-)<br>but that is a slight diversion. From their FAQ:<br><ul style="color:rgb(0,0,0);font-family:Times;font-size:medium;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><li><font color="#0000FF">(MEA)</font><span> </span>Some structures are forbidden as they appear to be used way too much in SPAM mail. Specifically, messages with<span> </span><tt>Content-Type: text/html</tt><span> </span>either as the only (primary) message, or as ANY of component sub-messages are considered spam, and rejected outright without any info to the sender.<span> </span><br>Also, any message with header matching the regular expression:<span> </span><tt>X-Mailing-List:.*@<a href="http://vger.kernel.org">vger.kernel.org</a></tt><span> </span>is considered to be LOOPING somewhere, and is thus diverted to list-owner.</li></ul><br></div><div><br></div></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"> T o m M i t c h e l l</div></div>
</div></div>