Stories
Slash Boxes
Comments

SoylentNews is people

PGP and S/MIME Vulnerable, Take Action Now (Update: Embargo Broken)

posted by takyon on Monday May 14 2018, @07:55AM   Printer-friendly
from the pretty-grotesque-problem dept.

canopic jug writes:

Ars Technica is reporting that there are critical PGP and S/MIME bugs which can reveal encrypted e-mails. Their advice is to uninstall the plugins, for the time being. More information will be released tomorrow (Tuesday at 07:00 UTC, 3:00 AM EDT, midnight PDT).

Little is publicly known about the flaws at the moment. Both Schinzel and the EFF blog post said they will be disclosed late Monday night California time in a paper written by a team of European security researchers. Schinzel's Twitter messages used the hashtag #efail, a possible indication of the name the researchers have given to their exploit.

The EFF also published a warning, Attention PGP Users: New Vulnerabilities Require You To Take Action Now:

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

The EFF also gives additional advice on disabling PGP in Thunderbird with Enigmail as well as other mail and mail-like clients.

takyon: The embargo is broken and the full details, including the paper (PDF), have been published.

Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
PGP and S/MIME Vulnerable, Take Action Now (Update: Embargo Broken) | Log In/Create an Account | Top | 51 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Monday May 14 2018, @04:14PM (2 children)

    by Anonymous Coward on Monday May 14 2018, @04:14PM (#679616)

    These attacks have little to do with PGP and everything to do with poorly coded mail clients.

    I feel better about my choice to use Claws-Mail and Alpine exclusively every day!

  • (Score: 2) by DannyB on Monday May 14 2018, @06:39PM (1 child)

    by DannyB (5839) Subscriber Badge on Monday May 14 2018, @06:39PM (#679712) Journal

    I bet it is not ONLY poorly coded mail clients.

    I bet it is coding them in the wrong languages. Too close to the bare metal. Like C. Not at a high enough level of abstraction. So your every thought never strays far from char arrays, and null terminated strings, and memory management.

    Rather than thinking at a high level. The MIME parser returns three sections. The first section is Html, so pass it to the Html parser library -- oh, it returns an error about an unclosed string.

    --
    To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.

    • (Score: 0) by Anonymous Coward on Monday May 14 2018, @07:26PM

      by Anonymous Coward on Monday May 14 2018, @07:26PM (#679730)

      Not sure if you're going for sarcasm there. It's possible to write shit code in every language no matter how close to the metal or how far away. A language can have great syntactic sugar, but if the programmer doesn't have a decent idea what the equivalent C99 code would look like and all the edge cases and boundary conditions the syntactic sugar takes care of, sooner or later they're going to program themselves into a world of shit.