SoylentNews is people
SoylentNews
Ars Technica is reporting that there are
critical PGP and S/MIME bugs which can reveal encrypted e-mails. Their advice is to uninstall the plugins, for the time being. More information will be released tomorrow (Tuesday at 07:00 UTC, 3:00 AM EDT, midnight PDT).
Little is publicly known about the flaws at the moment. Both Schinzel and the EFF blog post said they will be disclosed late Monday night California time in a paper written by a team of European security researchers. Schinzel's Twitter messages used the hashtag #efail, a possible indication of the name the researchers have given to their exploit.
The EFF also published a warning, Attention PGP Users: New Vulnerabilities Require You To Take Action Now:
A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.
The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.
The EFF also gives additional advice on disabling PGP in Thunderbird with Enigmail as well as other mail and mail-like clients.
takyon: The embargo is broken and the full details, including the paper (PDF), have been published.
(Score: 2) by pvanhoof on Monday May 14 2018, @01:20PM (1 child)
The problem is mostly in the MUA. The MUA needs to deal with an HTML E-mail containing active content (content for which it needs to fetch something over for example HTTP). A MUA should not do this in the first place. Images should for example never be loaded over HTTP. If they aren't embedded in the E-mail, the MUA shouldn't load the images without user consent (and should ask this each and every time). This is quite standard in MUA's to protect you against spammers who'd otherwise identify your E-mail address that way as being one that is in use and being read by a human being.
Basically disable HTML E-mails whenever you need end to end encryption. Which people in security senstive context should have done anyway, given a HTML browser component is way too complicated to trust in that kind of environment. Other possible backchannels in email clients are all bugs in the MUA, too.
Don't use a MUA written by morons. And yes, letting the MUA use any HTTP connection without consent of the user is in a security sensitive environment moronic.
Disclaimer: I worked on the E-mail client for the N900, N9, 810 and N800. Noting that that doesn't mean that we didn't have any security mistakes (like that) back then.
(Score: 2) by HiThere on Monday May 14 2018, @05:46PM
It's not just that HTML renderers are too complex to trust, it's worse. HTML is designed to link stuff together non-locally. This is totally absurd in a secure context. Yes, there are HTML subsets that should be usable, but they aren't large subsets.
It's an interesting idea, and someone should design a renderer for a secure subset of HTML, but you'd need a different form of packaging. Say only allow links to things within the same archive. That would let you use most of an existing HTML base, but still be secure. And if you unpackage the archive you could read it with a normal HTML browser.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.