You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4
There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now … #efail 2/4
Here are @EFF’s guides for disabling PGP/GPG in Thunderbird https://www.eff.org/deeplinks/2018/05/disabling-pgp-thunderbird-enigmail …, Apple Mail https://www.eff.org/deeplinks/2018/05/disabling-pgp-apple-mail-gpgtools …, and Outlook https://www.eff.org/deeplinks/2018/05/disabling-pgp-outlook-gpg4win …. #efail 3/4
This is joint research with Damian Poddebniak, @dr4ys3n, @jensvoid @Murgi @seecurity @cryptosorcerer @jurajsomorovsky and Jörg Schwenk from @fh_muenster, @ruhrunibochum, @LeuvenU. #efail 4/4
Why the drama? Why not simply release the details now instead of Hollywood style „come back tomorrow for more!“
Because of the reasons you'll learn tomorrow.
EFF focuses on PGP, while you also mention S/MIME. I gather standalone use of GPG/PGP is safe? If yes, that should be made very clear. Or should we stop signing rpms, git commits with GPG too?
The tweets and blog posts were written very carefully. Please also read them carefully. They contain anything you need to know until tomorrow.
"temporarily stop sending and especially reading PGP-encrypted email" Interesting..https://twitter.com/seecurity/status/995906576170053633 …
So we can rsummarrize this as "since there is a threat toward S/MIME and PGP now send everything in clear" ?
No. “Don’t encrypt/decrypt your email using plugins until tomorrow where you can hopefully assess better what the problem is” is what we are told.
Which the news media are reporting as "don't use PGP it's dangerous". And the way the warnings are written, I don't blame the news media.
SMIME is a builtin functionality of clients. Do we need to worry there? Why only deactivating GnuPG-sorts?
You can still disable it in the config. If use S/MIME for sensitive information, disable it for now.
why disable it? Thats like saying "we know how to break into your house so don't bother locking the door"
Again, it all sounds more like RCE-ish. So you rather have all your past emails stolen or just use other channels for now? When heartbleed came out, people with SSL/TLS had a potential RCE, those without had “only” insecure connections.
Agree. Disable auto decryption gives it away. Controlling the memory space that contains the private key with code execution is a good reason to disable it! Sounds like a flaw in a widely implemented crypto library within email communications.
Any research paper about this ?
We'll release it tomorrow.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
