HOW IS THERE NOT A THREAD YET HOLY SHIT eff.org
CRITICAL PGP, S/MIME VULNERABILITIES, THIS IS NOT A DRILL
Jeremiah Lewis
Julian Green
>might
>no details
Most likely overblown, and if they're releasing it, already patched.
Mason Morris
>Sebastian Schnitzel
>Schnitzel
>An actual fucking Schnitzel
Thomas Wood
HOLY SHIT
Jack Cruz
arstechnica.com
>The Internet’s two most widely used methods for encrypting e-mail--PGP and S/Mime--are vulnerable to hacks that can reveal the plaintext of encrypted messages, a researcher warned late Sunday night. He went on to say there are no reliable fixes and to advise anyone who uses either encryption standard for sensitive communications to remove them immediately from e-mail clients.
>The flaws “might reveal the plaintext of encrypted emails, including encrypted emails you sent in the past,” Sebastian Schinzel, a professor of computer security at Münster University of Applied Sciences, wrote on Twitter. “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”
Daniel Jenkins
well shit
thanks NSA
Camden Lee
came to say this.
Jackson Bailey
Fucking NASA
Wyatt Butler
It's going to require physical access to at least one machine.
Jack Myers
> trusting MIME
> ever
Sebastian Nguyen
Don't tell Ecuador
Jaxson Martinez
>these vulnerabilities pose an immediate risk to those using these tools for email communication
So it has something to do with tool that use PGP not PGP itself? I use GPG to encrypt my backups I store "in the cloud". I'm not sure if I should worry.
>ASCII armor unrelated
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2
jA0ECQMCWUJ9SaLRVzze0lUBT3L6boKj7Ji837hC5ISyqsy8KWC6XyL5KV7unlmP
Vq63+SRXc0XhCEB2XAUNpRGuIEuawxRu58qHpMAkjF/nhXpXLUlKShp+RhkDa3MG
5gslhvEQ
=CZKx
-----END PGP MESSAGE-----
Sebastian Morris
lists.gnupg.org
don't worry folks, it's not that bad
Kevin Perry
brainlet here
how do I encrypt my emails with pgp? Just copy and paste the code I got from pgp website at the end of the website? lol wtf
Jordan Green
It's overblown, you shouldn't have html enabled in your mail client anyway.
Camden Jackson
Isaac Taylor
It is not a bug in PGP.
Some clients will execute external HTML at the same time as decryption occurs. The problem is you can add on these malicious HTML calls to legitimate encrypted messages. GPG had already implemeneted an authentication method a decade ago. Some clients have failed to implement it properly and will still execute the HTML when giving the authentication error state.
Camden Long
> if they're releasing it, already patched.
Still mean you need to patch it, the problem is most likely not solved.
Maybe you need to upload new keys or something.
Angel Taylor
Meh, it's entirely mitigateable by simply not having your client not automatically load external links and checking links before clicking on them.
Evan Williams
Uhm.... I might end up in jail after this, I deleted all my emails but I fear the worst. Goodbye cruel world.
Jason Reed
>>ASCII armor
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
gpg: decryption failed: Bad session key
i suck at this
Jaxon Martin
bump
Ryder Brown
...
Alexander Thomas
>my backups
their backups now
Jaxson Clark
If you're going to use encryption technology you should at least have a basic understanding of how public key encryption works, first. Pretty much
1) Bob and Alice wish to communicate. Both Bob and Alice generate PGP keypairs. Each Keypair contains a public key and a private key.
2) Bob and Alice store their private keys in a very secure location. They email copies of their public keys to each other.
3) Bob writes an email to Alice, encrypting it with the copy of her public key she sent to him and he emails it to her
4) Alice receives Bob's encrypted email and decrypts it with her private key
Now lets say a hacker uses a man in the middle attack to get a copy of the encrypted email. Since he does not have a copy of Alice's private key, he cannot decrypt it and loses at life.
To answer your question for how to use PGP, if you're using windows, GPG4win is a decent GUI. You can also use Thunderbird and the PGP extension, to make it quicker and more integrated. Of course, using extensions and more detailed front end software gives you more attack surface for bugs, so ideally, you'd not be a pleb and just encrypt messages via the linux command line instead.
Bentley Murphy
So basically it's shitty programming.
Probably done by pajeets.
Jeremiah Myers
god damn fucking nasa
Dominic Williams
Microsoft BTFO
Jordan Ross
Hehe hopefully this means we get more Hillary emails out.
Evan Campbell
Open source: not even once.
Justin Campbell
Thanks for this explanation.
Joseph Peterson
abcd1234
Adam Torres
>announce exploit
>don't inform the exploitable software developer
can somebody go sock this Shitzel
Caleb Perry
Today, information about the Efail vulerability was released. This weakness was adressed in Enigmail 2.0, released in March 2018. Unfortunately, this vulnerability does not only cover Enigmail, but also Thunderbird. Thunderbird is not yet completely fixed today; the developers are still working on fixing the vulnerabiliy on their side.
I therefore recommend that you install the latest versions of Thunderbird and Enigmail (currently 52.7 and 2.0.3 respectively), and disable viewing HTML mails in Thunderbird via menu View > Message Body as > Plain Text. This will prevent you from any form of the the vulnerability described. Furthermore, once Thunderbird 52.8 will be released, I recommend to upgrade as soon as possible.
Connor Flores
PGP isn't open source though.
Julian Mitchell
We need a name and a logo stat!
Ayden Jones
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
This is dumb, really dumb.