[Cryptography] Critical PGP and S/MIME bugs can reveal encrypted emails— ?uninstall now?
Tom Mitchell
mitch at niftyegg.com
Mon May 14 10:35:00 EDT 2018
Apparently:
Critical PGP and S/MIME bugs can reveal encrypted emails—uninstall /
disable now
One assertion is that old messages can be exposed too.
Twitter is full of posts this AM.
https://twitter.com/seecurity/status/995906576170053633
Sebastian Schinzel
@seecurity
" We'll publish critical vulnerabilities in PGP/GPG and S/MIME email
encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of
encrypted emails, including encrypted emails sent in the past. #efail 1/4 "
Schinzel referred people this blog post published late Sunday night by the
Electronic Frontier Foundation. It said: “EFF has been in communication
with the research team, and can confirm that these vulnerabilities pose an
immediate risk to those using these tools for email communication,
including the potential exposure of the contents of past messages.”
The post continued:
Our advice, which mirrors that of the researchers, is to immediately
disable and/or uninstall tools that automatically decrypt PGP-encrypted
email. Until the flaws described in the paper are more widely understood
and fixed, users should arrange for the use of alternative end-to-end
secure channels, such as Signal, and temporarily stop sending and
especially reading PGP-encrypted email.
Both Schinzel and the EFF blog post referred those affected to EFF
instructions for disabling plugins in Thunderbird, macOS Mail, and Outlook.
The instructions say only to "disable PGP integration in e-mail clients."
Interestingly, there's no advice to remove PGP apps such as Gpg4win or GNU
Privacy Guard. Once the plugin tools are removed from Thunderbird, Mail, or
Outlook, the EFF post said, "your emails will not be automatically
decrypted." On Twitter, EFF officials went on to say: "do not decrypt
encrypted PGP messages that you receive using your email client."
https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/
--
T o m M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180514/26b29dc5/attachment.html>
More information about the cryptography
mailing list