DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th May 2018
e1-531g e1-531g is offline
VPN Cryptographer
 
Join Date: Mar 2014
Posts: 436
Default Efail: Vulnerabilities in email clients allow decryption of OpenPGP and S/MIME

https://efail.de/
Quote:
Here are some strategies to prevent EFAIL attacks:

Short term: No decryption in email client. The best way to prevent EFAIL attacks is to only decrypt S/MIME or PGP emails in a separate application outside of your email client. Start by removing your S/MIME and PGP private keys from your email client, then decrypt incoming encrypted emails by copy&pasting the ciphertext into a separate application that does the decryption for you. That way, the email clients cannot open exfiltration channels. This is currently the safest option with the downside that the process gets more involved.

Short term: Disable HTML rendering. The EFAIL attacks abuse active content, mostly in the form of HTML images, styles, etc. Disabling the presentation of incoming HTML emails in your email client will close the most prominent way of attacking EFAIL. Note that there are other possible backchannels in email clients which are not related to HTML but these are more difficult to exploit.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #2   (View Single Post)  
Old 3 Weeks Ago
e1-531g e1-531g is offline
VPN Cryptographer
 
Join Date: Mar 2014
Posts: 436
Default

https://protonmail.com/blog/pgp-efail-statement/
Quote:
These statements are highly misleading and potentially dangerous. PGP is not broken. The vulnerabilities identified by eFail are not flaws with the OpenPGP protocol itself but rather flaws in certain implementations of PGP, including in Apple Mail, Mozilla Thunderbird, and Microsoft Outlook. Many other commonly used software based upon PGP are not affected by the eFail vulnerability in any way, as the researchers themselves point out in their paper.

As an open standard, anybody can implement PGP, and it comes as no surprise that some implementations have security weaknesses. However, this does not mean PGP itself is broken.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #3   (View Single Post)  
Old 2 Weeks Ago
Sensucht94's Avatar
Sensucht94 Sensucht94 is offline
Real Name: Paolo Vincenzo Olivo
Port Guard
 
Join Date: Oct 2017
Location: Rome
Posts: 12
Default

Relevant vulnerable clients sheet per platform; oddly enough, I've always used Claws/Sylpheed and (neo)mutt only. AFAIK old but gold Pegasus for DOS/Windows is not affected either
Attached Images
File Type: jpg qCsujgp_d.jpg (41.0 KB, 13 views)
__________________
Be the change you want to see in the World

Last edited by Sensucht94; 2 Weeks Ago at 05:37 PM.
Reply With Quote
Reply

Tags
gnupg, openpgp, pgp

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Tox clients in OpenBSD? Nureo OpenBSD Packages and Ports 11 29th April 2018 01:05 PM
evdo on server: clients can ping www, but not browse amorphousone OpenBSD Security 2 24th September 2010 04:56 AM
torrent clients are driving me nuts graudeejs FreeBSD General 28 9th January 2009 12:43 PM
Exempting clients from AuthPF Kristijan NetBSD Security 1 12th July 2008 12:09 AM
improve proxy cache and replace gif MIME milo974 OpenBSD General 1 10th July 2008 12:14 PM


All times are GMT. The time now is 10:05 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick