[chiglug] EFF: Temporally Stop Using PGP for Encrypted E-mail
eviljoel
eviljoel at linux.com
Wed May 16 04:10:22 UTC 2018
Greetings,
The EFF says that there is a flaw in the PGP spec in that it does not
require an integrity check on an encrypted message. Outside of that, I
believe you are right, it is a flaw in the implementations.
Also, on one of these mailing lists, Adam pointed out that this exploit
requires the remote loading of external resources. From looking at the
official exploit document, that also appears to be correct. In fact,
loading of external resources is disabled by default in Thunderbird.
This means that this exploit won't work with default settings in
Thunderbird/Enigmail and probably won't work by default in other mail
clients as well. I kinda feel like the EFF jumped the gun on this one.
- eviljoel
On 05/15/2018 08:13 AM, Christopher Lemmer Webber wrote:
> eviljoel writes:
>
>> Greetings,
>>
>> There is a newly discovered vulnerability in PGP that allows attackers
>
> It's worth noting that the flaw isn't in PGP or any PGP implementation,
> it's in HTML mail rendering clients behaving badly.
>
--
Let me teach you encrypted e-mail. eviljoel's PGP fingerprint:
A2BE 2D12 24D1 67CA 8830 DDE7 DFB3 676B 196D 6430
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.chicagolug.org/pipermail/discuss/attachments/20180515/427135b2/attachment-0002.sig>
More information about the discuss
mailing list