[Cryptography] Vulnerability found in PGP.
Jason Cooper
cryptography at lakedaemon.net
Mon May 14 15:04:43 EDT 2018
Hi,
On Mon, May 14, 2018 at 09:21:07AM -0700, Ray Dillinger wrote:
> Details not announced yet, but evidently a protocol vulnerability
> and evidently quite bad. EFF recommends disabling anything you've
> got that automatically opens PGP-encrypted mail.
Best assessment I've seen to date:
https://blog.erratasec.com/2018/05/some-notes-on-efail.html
"Instead of disabling PGP/SMIME, you should make sure your email client
has (s/hast/has/ - jac) remote/external content disabled -- that's a
huge privacy violation even without this bug."
> It's unusual for something that's been this widely studied for this
> long to have something that's of such concern; I'll be watching
> with interest to see what it is.
Based on the above, it's not PGP or S/MIME (other than the convenience
feature of keeping keys decrypted for a period of time to reduce PW
typing), but rather MUA's stupid auto-rendering of HTML.
thx,
Jason.
More information about the cryptography
mailing list