Ars Technica is reporting that there are
critical PGP and S/MIME bugs which can reveal encrypted e-mails. Their advice is to uninstall the plugins, for the time being. More information will be released tomorrow (Tuesday at 07:00 UTC, 3:00 AM EDT, midnight PDT).
Little is publicly known about the flaws at the moment. Both Schinzel and the EFF blog post said they will be disclosed late Monday night California time in a paper written by a team of European security researchers. Schinzel's Twitter messages used the hashtag #efail, a possible indication of the name the researchers have given to their exploit.
The EFF also published a warning, Attention PGP Users: New Vulnerabilities Require You To Take Action Now:
A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.
The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.
The EFF also gives additional advice on disabling PGP in Thunderbird with Enigmail as well as other mail and mail-like clients.
takyon: The embargo is broken and the full details, including the paper (PDF), have been published.
(Score: 2) by pvanhoof on Monday May 14 2018, @02:55PM
Which in a security sensitive environment is a bad idea. As suddenly you are exposing an enormous amount of locally running HTML rendering code to input provided to you by a possibly malicious actor.
On top of that is your web browser rarely going to show the E-mails in so called offline mode. Most MUA's have a feature called "Load remote images" or something similar. This will load IMG tags that have images that are not embedded in the E-mail. It usually gets implemented by putting the whole HTML rendering component in offline mode.
A MUA that is configured for a seriously secure environment will simply not render any HTML. You use the text/plain MIME part and if that way the E-mail ain't readable then the E-mail is for your spam folder.