<div dir="ltr"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Greetings all,</span><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Sorry for all the spam about this. <br><br><br>> The EFF says that there is a flaw in the PGP spec in that it does not </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">require an integrity check on an encrypted message.  Outside of that, I </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">believe you are right, it is a flaw in the implementations.</span><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br>There are flaw in a <i>non-standard </i>[0][1]<i> </i>cipher used by GPG which does not use CAST5 for encryption by default. Also note the use of the "disable MDC" flag. For those that don't know, MDC is an authentication check for a message to cryptographically verify that a message has not been tampered with. <pre style="white-space:pre-wrap;color:rgb(0,0,0);font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">gpg --recipient 0xFB73E21AF1163937 --cipher-algo CAST5 --disable-mdc --encrypt --sign --armor reply.txt</pre><div><br></div>The MDC was was one of the first "authenticated encryption" schemes created, but now there are more robust ones that GPG will migrate to. <br><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">> Also, on one of these mailing lists, Adam pointed out that this exploitr </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">equires the remote loading of external resources. From looking at the</span><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">official exploit document, that also appears to be correct. In fact, </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">loading of external resources is disabled by default in Thunderbird.</span><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">This means that this exploit won't work with default settings in </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Thunderbird/Enigmail and probably won't work by default in other mail</span><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">clients as well.</span><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div>+1 however that is not the case for <i>most</i> clients used by the majority of users, I am thinking of Apple Mail and other mail clients (MAUs). However since most of us run Linux, here is the official statement from Mozila. They think disabling remote content and HTML parsing is the best mitigation, like Joel said. </div><div><br></div><div>So I think the comments made by Mozilla are best.  If you wish to need additional security around your GPG encrypted emails in, you can decrypt them while disconnected from WiFi or from the command line. You could grab the email message by selecting finding the "More" button (next to the "Delete" button) and selecting View Source. Find the the GPG message and paste this content into a text file.</div><div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><div><font face="monospace, monospace">----BEGIN PGP MESSAGE-----</font></div></div><div><div><font face="monospace, monospace"><br></font></div></div><div><div><font face="monospace, monospace">[ENCRYPTED MESSAGE CONTENT]</font></div></div><div><div><font face="monospace, monospace"><br></font></div></div><div><div><font face="monospace, monospace">-----END PGP MESSAGE-----</font></div></div></blockquote><div><div><br></div><div>To decrypt the email you would run <i>gpg --decrypt email_message.asc > message.tx</i>t. This is by far the safest manner of decrypting messages but it is also the most time consuming.</div><div><br></div><div>Happy to answer any more questions</div><div><br></div><div>Best,</div><div>Freddy Martinez</div></div><div><br></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">[0] <a href="https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060325.html">https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060325.html</a></span><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">[1] <a href="https://dev.gnupg.org/T3981">https://dev.gnupg.org/T3981</a></span></div><div>[2] <a href="https://blog.mozilla.org/thunderbird/2018/05/efail-and-thunderbird/">https://blog.mozilla.org/thunderbird/2018/05/efail-and-thunderbird/</a><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 15, 2018 at 9:10 PM, eviljoel <span dir="ltr"><<a href="mailto:eviljoel@linux.com" target="_blank">eviljoel@linux.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Greetings,<br>
<br>
The EFF says that there is a flaw in the PGP spec in that it does not<br>
require an integrity check on an encrypted message.  Outside of that, I<br>
believe you are right, it is a flaw in the implementations.<br>
<br>
Also, on one of these mailing lists, Adam pointed out that this exploit<br>
requires the remote loading of external resources. From looking at the<br>
official exploit document, that also appears to be correct. In fact,<br>
loading of external resources is disabled by default in Thunderbird.<br>
This means that this exploit won't work with default settings in<br>
Thunderbird/Enigmail and probably won't work by default in other mail<br>
clients as well. I kinda feel like the EFF jumped the gun on this one.<br>
<span class="HOEnZb"><font color="#888888"><br>
- eviljoel<br>
</font></span><span class="im HOEnZb"><br>
On 05/15/2018 08:13 AM, Christopher Lemmer Webber wrote:<br>
> eviljoel writes:<br>
> <br>
>> Greetings,<br>
>><br>
>> There is a newly discovered vulnerability in PGP that allows attackers<br>
> <br>
> It's worth noting that the flaw isn't in PGP or any PGP implementation,<br>
> it's in HTML mail rendering clients behaving badly.<br>
> <br>
<br>
</span><div class="HOEnZb"><div class="h5">-- <br>
Let me teach you encrypted e-mail. eviljoel's PGP fingerprint:<br>
A2BE 2D12 24D1 67CA 8830  DDE7 DFB3 676B 196D 6430<br>
<br>
</div></div><br>______________________________<wbr>_________________<br>
discuss mailing list<br>
<a href="mailto:discuss@lists.chicagolug.org">discuss@lists.chicagolug.org</a><br>
<a href="https://lists.chicagolug.org/mailman/listinfo/discuss" rel="noreferrer" target="_blank">https://lists.chicagolug.org/<wbr>mailman/listinfo/discuss</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Freddy Martinez</div>
</div>