Attention PGP Users: New Vulnerabilities Require You To Take Action Now


#1

#2

A reaction from GPG: https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html

TL;DR:

  • Don’t use HTML mails.
  • Use authenticated encryption.

#3

Report publically up now @ https://efail.de/ . Looks like there is a lot of misinformation being spread. :popcorn:


#4

GnuPG team statement: https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html

We made three statements about the Efail attack at the beginning. We’re
going to repeat them here and give a little explanation. Now that we’ve
explained the situation, we’re confident you’ll concur in our judgment.

  1. This paper is misnamed. It’s not an attack on OpenPGP. It’s an
    attack on broken email clients that ignore GnuPG’s warnings and do silly
    things after being warned.

  2. This attack targets buggy email clients. Correct use of the MDC
    completely prevents this attack. GnuPG has had MDC support since the
    summer of 2000.

  3. The authors made a list of buggy email clients. It’s worth looking
    over their list of email clients (found at the very end) to see if yours
    is vulnerable. But be careful, because it may not be accurate – for
    example, Mailpile says they’re not vulnerable, but the paper indicates
    Mailpile has some susceptibility.

The authors have done the community a good service by cataloguing buggy
email email clients. We’re grateful to them for that. We do wish,
though, this thing had been handled with a little less hype. A whole
lot of people got scared, and over very little.


#5

Mitigation for Enigmail / Thunderbird users:

https://sourceforge.net/p/enigmail/forum/announce/thread/527a26fc/


#6