Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

["~" <chano79thstreet () gmail com>]

Embargo has been broken. Here's the full details: https://efail.de

(h/t Martjin Grooten)

On Mon, 14 May 2018, 09:19 Suresh Ramasubramanian, <ops.lists () gmail com>
wrote:

> Seems to be a set of MUA bugs that are being overblown and hyped up.
>
> TL;DR = Don't use HTML email with some mail clients when sending pgp
> encrypted mail.
>
> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
>
> --srs
>
> On 14/05/18, 1:15 PM, "NANOG on behalf of George William Herbert" <
> nanog-bounces () nanog org on behalf of george.herbert () gmail com> wrote:
>
>
>     This is likely bad enough operators need to pay attention.
>
>     @seecurity tweeted:
>
>     "We'll publish critical vulnerabilities in PGP/GPG and S/MIME email
> encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of
> encrypted emails, including encrypted emails sent in the past. #efail 1/4"
>
>     Thread starts here:
>     https://twitter.com/seecurity/status/995906576170053633?s=21
>
>     I have no particular insight into what it is other than presuming from
> thread that decryption can be tricked to do bad things.
>
>     They recommend temporary disabling downthread:
>
>     "There are currently no reliable fixes for the vulnerability. If you
> use PGP/GPG or S/MIME for very sensitive communication, you should disable
> it in your email client for now. Also read @EFF’s blog post on this issue:
> eff.org/deeplinks/2018… #efail 2/4"
>
>     -george
>
>     Sent from my iPhone