A critical PGP flaw could expose your past emails

Share

The idea is that attackers shouldn't be able to read your messages even if they intercept them or somehow gain access to your accounts.

Researchers have discovered a vulnerability in the OpenPGP and S/MIME protocols that allows for the exfiltration of plaintext messages. Explore practical tips you can implement to reduce the risk of a successful email attack in this whitepaper. This attack relies on a three-part message being sent.

A paper detailing the vulnerability, co-authored by Sebastian Schinzel, computer security professor at the Münster University of Applied Sciences in Germany, is available online.

Mets activate Jacob deGrom from disabled list
DeGrom struck out Rhys Hoskins , got Carlos Santana to ground back to the mound and fanned Maikel Franco to end a 10-pitch at-bat. The Phillies had not announced their Sunday starter as of Saturday night, but it will be Zach Eflin or Aaron Nola (5-1, 2.05).

The Electronic Frontier Foundation (EFF) advises to immediately disable all email tools that automatically decrypt PGP.

The security flaws that have been discovered could potentially leak the contents of the encrypted messages you send and receive via email when signed with PGP or S/MIME encryption methods.

It advised users to disable the use of active content, such as HTML code and the loading of external content, and to secure their email servers against external access.

Chemring Group plc (LON:CHG) Weekly Ratings as of May 12, 2018
The companyÂ's Coal segment is involved in the extraction of metallurgical and thermal coal; and provision of logistic services. In Thursday, November 30 report Numis Securities maintained it with "Buy" rating and GBX 552 target.

While not explicitly mentioned, you may also disable the loading of remote content in the email client to prevent successful exploits. In fact, the only clients protected against S/Mime attacks are Claws Mail and Mutt whereas more clients are protected against PGP-targeting attacks.

According to the researchers, EFAIL affects clients that use a graphical user interface, including Thunderbird with Enigmail, Apple Mail with GPGTools and Outlook with Gpg4win.

Of course, if you recognise the need to secure encrypt your communications you probably also understand that resorting to sending and receiving unencrypted email is far from an acceptable solution. And that person's email client decrypts the email and loads external content, "thus exfiltrating the plaintext to the attacker". "Instead, use non-email based messaging platforms, like Signal, for your encrypted messaging needs". In particular, he's recommended temporarily disabling PGP/GPG in Outlook, Apple Mail and Thunderbird. While PGP is today owned by Symantec, an open source implementation called GNU Privacy Guard (GPG) has been widely adopted by the security community in a number of contexts, this is referred to as OpenPGP. The vulnerability allows hackers to read an encrypted email by making changes to its HTML, which essentially tricks the affected email applications into decrypting the rest of the message. Anyone who wants their email communication to be secure and private should take notice.

Newcastle's 3-0 win condemns Chelsea to Europa league next season
Shelvey's own form this season has led to calls for the former Liverpool midfielder to be included in England's World Cup squad.

In a 2014 blog post, Green wrote that "it's time for PGP to die", noting that it was time to build something much better.

Share