nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

From: Suresh Ramasubramanian <ops.lists () gmail com>
Date: Mon, 14 May 2018 13:47:50 +0530
Seems to be a set of MUA bugs that are being overblown and hyped up.

TL;DR = Don't use HTML email with some mail clients when sending pgp encrypted mail.

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html

--srs

On 14/05/18, 1:15 PM, "NANOG on behalf of George William Herbert" <nanog-bounces () nanog org on behalf of 
george.herbert () gmail com> wrote:

    
    This is likely bad enough operators need to pay attention.
    
    @seecurity tweeted:
    
    "We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might 
reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4"
    
    Thread starts here:
    https://twitter.com/seecurity/status/995906576170053633?s=21
    
    I have no particular insight into what it is other than presuming from thread that decryption can be tricked to do 
bad things.
    
    They recommend temporary disabling downthread:
    
    "There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive 
communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: 
eff.org/deeplinks/2018… #efail 2/4"
    
    -george 
    
    Sent from my iPhone
Previous By Date Next
Previous By Thread Next

Current thread: