"might reveal the plaintext of encrypted emails, including encrypted emails sent in the past" makes me think it's some nasty cryptographic issue; if it was RCE you'd think we'd be seeing a patch instead of "just disable it"
This sounds like multiple RCE issues in common PGP and S/MIME software, but the details are vague so far. Or it could be a side channel issue. Hmm.https://twitter.com/EFF/status/995906839958061056 …
-
-
-
plus, hard to imagine an implementation bug that affects all these email clients, but _nothing else_ using PGP
- Show replies
New conversation -
-
-
This Tweet is unavailable.
-
I'm guessing is it's one of those "let's try to find vulns in all the implementations" research teams.
End of conversation
-
-
-
This Tweet is unavailable.
-
RCE != broken encryption. RCE == malicious email taking over your computer. That is the only reasonable explanation for why they're going with this advice. Disable broken software, disclose, update, enable again. Otherwise, you're vulnerable between "disclose" and "update".
End of conversation
-
-
-
This Tweet is unavailable.
-
It's starting to sound like something vaguely like this.https://twitter.com/marcan42/status/995927710537928704?s=19 …
- Show replies
-
-
-
Apparently the EFF warnings is overblown https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html …
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.