This sounds very bad. And there are currently no reliable fixes.
#efailhttps://twitter.com/seecurity/status/995906576170053633 …
このスレッドを表示
-
This vulnerability might be used to decrypt the contents of encrypted emails sent in the past. Having used PGP since 1993, this sounds baaad.
#efailこのスレッドを表示
They figured out mail clients which don't properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation.
-
-
Could you please keep it quiet? There will be plenty of time to do this discussion.
-
Your fault for talking shit. Don't make false accusations in your pre-release statements next time.
-
Where did
@seecurity make "false accusations"? He chose his words carefully by saying "vulnerabilities in PGP/GPG and S/MIME email encryption". It's the crypto community that made "PGP is broken" out of that. Now instead of fixing the problems, they point fingers at each other... -
The Vulnerability is not in PGP itself, but in the email clients.
-
The flaw is in GPGs / the clients handling of broken MDCs. Yes, the clients ignore a warning, but GPG delivering decrypted content and then saying “Sorry, ignore everything I just said” isn’t perfect either. Which is why they are discussing options to change that at the moment.
会話の終了
新しい会話 -
-
-
今後は興味のあるツイートがもっと表示されるようになります。 取り消す取り消す
-
-
-
.
@gnupg So are you basically saying there are 2 ways to mitigate?: 1. Disable external content in email client 2. Remove decryption add-ins in email client and instead copy/paste to Kleopatra directly?今後は興味のあるツイートがもっと表示されるようになります。 取り消す取り消す
-
-
-
今後は興味のあるツイートがもっと表示されるようになります。 取り消す取り消す
-
-
-
What kind of noob enables html / any kind of remote content (tracking pixels, etc) in any email never mind your secret encrypted emails?
今後は興味のあるツイートがもっと表示されるようになります。 取り消す取り消す
-
-
-
Wouldn't mail clients following links be more of an attack vector?
-
That's how I read it. If email clients are prefetching contents of links found in emails without the recipient clicking on them, that's about a dozen privacy/security exploits without adding encryption to the mix. Either I'm misreading it or… who thought that was a good idea???
会話の終了
新しい会話 -
-
-
I had a feeling this was the case due to the extremely odd wording in the EFF post. Thanks for clearing that up! <3
今後は興味のあるツイートがもっと表示されるようになります。 取り消す取り消す
-
-
-
Any thoughts
@CanaryMailApp ?
新しい会話 -
-
-
pretty Easy privacy (p≡p) for Android, Outlook and Tunderbird (with
#Engimail in#EnigmailpEp) relying on@gnupg ist encrypting and signing PGP/MIME mails automatically and NOT automatically loading external links: so no reason to spread FUD like this.今後は興味のあるツイートがもっと表示されるようになります。 取り消す取り消す
-
-
-
Seems like this is going to be way overblown, and a little irresponsible on the part of $researcher and
@eff. We’ll see… -
Just have to not talk about it until tomorrow otherwise fame acquired is less than the requested 15minshttps://twitter.com/seecurity/status/995936859980222464 …
会話の終了
新しい会話 -
-
-
Would be good to know which mail client is safe for OpenPGP, mutt/kmail etc.???
-
All mail clients are safe as long as you use plaintext
会話の終了
新しい会話 -
読み込みに時間がかかっているようです。
Twitterの処理能力の限界を超えているか、一時的な不具合が発生しています。やりなおすか、Twitterステータスで詳細をご確認ください。