Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Monday May 14 2018, @07:55AM   Printer-friendly
from the pretty-grotesque-problem dept.

Ars Technica is reporting that there are critical PGP and S/MIME bugs which can reveal encrypted e-mails. Their advice is to uninstall the plugins, for the time being. More information will be released tomorrow (Tuesday at 07:00 UTC, 3:00 AM EDT, midnight PDT).

Little is publicly known about the flaws at the moment. Both Schinzel and the EFF blog post said they will be disclosed late Monday night California time in a paper written by a team of European security researchers. Schinzel's Twitter messages used the hashtag #efail, a possible indication of the name the researchers have given to their exploit.

The EFF also published a warning, Attention PGP Users: New Vulnerabilities Require You To Take Action Now:

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

The EFF also gives additional advice on disabling PGP in Thunderbird with Enigmail as well as other mail and mail-like clients.

takyon: The embargo is broken and the full details, including the paper (PDF), have been published.


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by bradley13 on Monday May 14 2018, @08:58AM (3 children)

    by bradley13 (3053) on Monday May 14 2018, @08:58AM (#679493) Homepage Journal

    I have the GPG plugin installed. I've actually used it twice to send email, but I don't believe I have ever received a GPG encrypted email. Meanwhile, on my normal email chains, the plugin makes a mess: creating encrypted draft messages that are never used, but also never deleted, which clutters things up.

    We have Signal for messaging - completely transparent, easy to use, and apparently pretty secure. Meanwhile, email is still send unencrypted, because the encryption solutions are such a pain. We should have end-to-end email encryption 20 years ago. Why, WHY is this so hard?

    --
    Everyone is somebody else's weirdo.
    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2, Insightful) by Anonymous Coward on Monday May 14 2018, @01:13PM (2 children)

    by Anonymous Coward on Monday May 14 2018, @01:13PM (#679550)
    • Most people just don't care about security or privacy; certainly, the proles don't care. Humans are social creatures, and thus gravitate towards working on solutions that will provide the greatest recognition from their peers.

    • Certain infrastructure projects, such as email software, are inherently thankless; you know your solution is working well when nobody has to think about it. The result is that only fucking hackers (in the old sense) write this stuff (and they write for a laugh with their buddies), and so we've built our world on piles of hand-crafted parts held together with the digital equivalent of gum and duct-tape.

      Everybody is complaining about email in HTML, but it's actually a very smart thing, and if you write multi-part MIME emails by hand, you can make really clean, beautiful stuff. Yet, most people aren't writing these things by hand; they're instead using some quick hack that produces total trash.

    • (Score: 2) by pvanhoof on Monday May 14 2018, @01:49PM (1 child)

      by pvanhoof (4638) on Monday May 14 2018, @01:49PM (#679563) Homepage

      Yet, most people aren't writing these things by hand; they're instead using some quick hack that produces total trash.

      You mean Outlook, right?

      • (Score: 0) by Anonymous Coward on Monday May 14 2018, @02:51PM

        by Anonymous Coward on Monday May 14 2018, @02:51PM (#679581)

        I know Microsoft programmers who are the creme-de-la-creme. They couldn't possibly give a flying fuck about the technical quality of their work; it's just a job, man—impress the PMs, and then go rock climbing. They're hacks.