[RndTbl] PGP/GPG broken for email (S/MIME)

Hartmut W Sager hwsager at marityme.net
Tue May 15 00:22:05 CDT 2018


> Oh ya, this all could have been avoided if people stopped using HTML in
emails and HTML-capable MUAs.  <GRIN>

Oh come now (grin or no grin)!  That would take us back to the
textual-content-only era that was already ending by about 1995.
Non-textual content and good looks in e-mail do matter in 2018!

Hartmut W Sager - Tel +1-204-339-8331, +1-204-515-1701, +1-204-515-1700,
+1-810-471-4600


On Mon, 14 May 2018 at 23:24, Trevor Cordes <trevor at tecnopolis.ca> wrote:

>
> https://www.eff.org/deeplinks/2018/05/pgp-and-efail-frequently-asked-questions
> https://efail.de/efail-attack-paper.pdf
>
> Nasty year for security 2018 is turning out to be.
>
> Newly announced flaw in PGP/GPG when used for email that lets remote
> hackers get copies of your encrypted emails (whether sender or
> recipient).  Many (most?) email clients (MUAs) are not patched yet (but
> the Linux ones should be shortly).
>
> The encryption itself isn't broken, it's the way email clients and
> their html parsers work that is being abused.  For the hack to work
> you have to use a vulnerable email client that has builtin html
> support (most do, but mine doesn't, yay!) and the attacker has to
> intercept an encrypted email for/from you and then send it to you
> wrapped in some naughty html.  Your email client then decrypts the
> email and the naughty html promptly sends a copy to the attacker via
> backchannels (getvars or similar in img tags hitting hacker servers).
>
> To be clear, they can only use this hack to read emails they've already
> intercepted and tricked you into opening in your HTML MUA.
>
> If you use GPG from the command line you're basically safe.  It's still
> good encryption (with a caveat about integrity checks that won't affect
> most use cases).  GPG used for package signing, etc, is still safe.
> GPG used for local file encryption is safe.
>
> To be safe for email, update your MUA when it patches this, and ensure
> all your contacts you PGP/GPG with do the same.  Unlike Spectre et al,
> this one is fairly easy to fix assuming most people do it in a
> reasonable amount of time (ya, I know).
>
> Strangely, EFF recommends people phase our PGP/GPG email and have no
> real recommended drop-in replacement.  I find this odd, as to me *some*
> emails being hackable certainly beats *all* emails being hackable (i.e.
> plaintext) which is basically what they are advocating.
>
> Oh ya, this all could have been avoided if people stopped using HTML in
> emails and HTML-capable MUAs.  <GRIN>
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.ca
> https://muug.ca/mailman/listinfo/roundtable
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20180515/b41829b0/attachment.html>


More information about the Roundtable mailing list