A critical PGP flaw could expose your past emails


The idea is that attackers shouldn't be able to read your messages even if they intercept them or somehow gain access to your accounts.

Researchers have discovered a vulnerability in the OpenPGP and S/MIME protocols that allows for the exfiltration of plaintext messages. Explore practical tips you can implement to reduce the risk of a successful email attack in this whitepaper. This attack relies on a three-part message being sent.

A paper detailing the vulnerability, co-authored by Sebastian Schinzel, computer security professor at the Münster University of Applied Sciences in Germany, is available online.

Bale hits brace as Real Madrid put six past Celta Vigo
Bale put the burners on to race on to a through ball from Luka Modric and fire his side into the lead with a thumping low finish.

The Electronic Frontier Foundation (EFF) advises to immediately disable all email tools that automatically decrypt PGP.

The security flaws that have been discovered could potentially leak the contents of the encrypted messages you send and receive via email when signed with PGP or S/MIME encryption methods.

It advised users to disable the use of active content, such as HTML code and the loading of external content, and to secure their email servers against external access.

Lyoto Machida Front-Kick KO's Vitor Belfort At UFC 224
He fought for the 205-pound belt again, almost forcing Jon Jones to submit at UFC 152, before tapping out in the fourth round. As will Kelvin Gastelum and Jacare Souza, who fought in a thrilling back-and-forth war in the night's co-main event.

While not explicitly mentioned, you may also disable the loading of remote content in the email client to prevent successful exploits. In fact, the only clients protected against S/Mime attacks are Claws Mail and Mutt whereas more clients are protected against PGP-targeting attacks.

According to the researchers, EFAIL affects clients that use a graphical user interface, including Thunderbird with Enigmail, Apple Mail with GPGTools and Outlook with Gpg4win.

Of course, if you recognise the need to secure encrypt your communications you probably also understand that resorting to sending and receiving unencrypted email is far from an acceptable solution. And that person's email client decrypts the email and loads external content, "thus exfiltrating the plaintext to the attacker". "Instead, use non-email based messaging platforms, like Signal, for your encrypted messaging needs". In particular, he's recommended temporarily disabling PGP/GPG in Outlook, Apple Mail and Thunderbird. While PGP is today owned by Symantec, an open source implementation called GNU Privacy Guard (GPG) has been widely adopted by the security community in a number of contexts, this is referred to as OpenPGP. The vulnerability allows hackers to read an encrypted email by making changes to its HTML, which essentially tricks the affected email applications into decrypting the rest of the message. Anyone who wants their email communication to be secure and private should take notice.

Four additional murder charges filed against accused Golden State Killer
Their deaths are the earliest attributed to the East Area Rapist, and DeAngelo is due in court Monday for a hearing in that case. Investigators said the Golden State Killer found Offerman and Manning in bed before tying them both up and shooting them.

In a 2014 blog post, Green wrote that "it's time for PGP to die", noting that it was time to build something much better.