GnuPG has an official statement out. (ObDisclosure: I was the principal author.) 1/
-
Show this thread
-
(This statement is only about the susceptibility of OpenPGP, GnuPG, and Gpg4Win. It does not cover S/MIME.) 2/
1 reply 5 retweets 14 likesShow this thread -
Recently some security researchers published a paper named "Efail: Breaking S/MIME and OpenPGP Encryption using Exfiltration Channels". The EFF has gone so far as to recommend immediately uninstalling Enigmail. We have three things to say, and then we're going to show you why 3/
1 reply 8 retweets 23 likesShow this thread -
we're right. 1. This paper is misnamed. 2. This attack targets buggy email clients. 3. The authors made a list of buggy email clients. 4/
2 replies 29 retweets 57 likesShow this thread -
In 1999 we realized OpenPGP's symmetric cipher mode (a variant of cipher feedback) had a weakness: in some cases an attacker could modify text. As Werner Koch, the founder of GnuPG, put it: "[Phil Zimmermann] and Jon Callas asked me to attend the AES conference in Rome to 5/
1 reply 4 retweets 13 likesShow this thread -
discuss problems with the CFB mode which were on the horizon. That discussion was in March 1999 and PGP and GnuPG implemented a first version [of our countermeasure] about a month later. According to GnuPG's NEWS file, [our countermeasure] went live in Summer 2000." 6/
1 reply 3 retweets 10 likesShow this thread -
The countermeasure Werner mentions is called a Modification Detection Code, or MDC. It's been a standard part of GnuPG for almost eighteen years. For almost all that time, any message which does not have an MDC attached has caused GnuPG to throw up big, clear, and obvious 7/
1 reply 3 retweets 12 likesShow this thread -
warning messages. They look something like this: [long GnuPG output snipped for brevity -- see my prior tweet for a sample screenshot] 8/
2 replies 3 retweets 8 likesShow this thread -
GnuPG also throws large warning messages if an MDC indicates a message has been modified. In both cases, if your email client respects this warning and does the right thing -- namely, not showing you the email -- then you are completely protected from the Efail attack, as 9/
3 replies 4 retweets 14 likesShow this thread
That's really about the only question I have here: how come 18 years later this is still a warning and not a hard error?
-
-
Replying to @andreasdotorg
Recently it became a hard error: it throws DECRYPTION_FAILED on the status channel. Unfortunately, due to the way OpenPGP specifies the MDC be done, sometimes that can't be done until *after* the client is given data back. It's a problem we're working on.
1 reply 0 retweets 1 like -
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.