AuthorTopic: Critical bug in PGP interface  (Read 197 times)

Offline Palloy2

  • Administrator
  • Sous Chef
  • *****
  • Posts: 6096
    • View Profile
    • Palloy's Blog
Critical bug in PGP interface
« on: May 14, 2018, 02:50:12 PM »
This only applies to the Enigmail implementation of OpenPGP for Thunderbird, GPGTools for AppleMail, and GPG4Win for Outlook.  If you use one of those, you should uninstall it and await a fixed version.  It does not apply to the recommended GPG4USB (which is on version 0.3.3-2).

https://thehackernews.com/2018/05/pgp-smime-email-encryption.html
Critical Flaws in PGP and S/MIME Tools Can Reveal Encrypted Emails in Plaintext
Swati Khandelwal
May 13, 2018

Note—the technical details of the vulnerabilities introduced in this article has now been released, so you should also read our latest article to learn how the eFail attack works and what users can do to prevent themselves.

An important warning for people using widely used email encryption tools—PGP and S/MIME—for sensitive communication.

A team of European security researchers has released a warning about a set of critical vulnerabilities discovered in PGP and S/Mime encryption tools that could reveal your encrypted emails in plaintext.

What's worse? The vulnerabilities also impact encrypted emails you sent in the past.

PGP, or Pretty Good Privacy, is an open source end-to-end encryption standard used to encrypt emails in a way that no one, not even the company, government, or cyber criminals, can spy on your communication.

S/MIME, Secure/Multipurpose Internet Mail Extensions, is an asymmetric cryptography-based technology that allows users to send digitally signed and encrypted emails.

Sebastian Schinzel, computer security professor at Münster University of Applied Sciences, headed on to Twitter to warn users of the issue, and said that "there are currently no reliable fixes for the vulnerability."

Electronic Frontier Foundation (EFF) has also confirmed the existence of “undisclosed” vulnerabilities and recommended users to uninstall PGP and S/MIME applications until the flaws are patched.

    "EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages," the organisation said in its blog post.

    "Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email."


So, until the vulnerabilities are patched, users are advised to stop sending and especially reading PGP-encrypted emails for now, and use alternative end-to-end secure tools, such as Signal.

EFF has warned users to immediately disable if they have installed any of the following mentioned plugins/tools for managing encrypted emails:

    Thunderbird with Enigmail
    Apple Mail with GPGTools
    Outlook with Gpg4win



It should be noted that researchers have not claimed that the flaws reside in the way encryption algorithm works; instead, the issues appear in the way email decryption tools/plugins work.

The full technical details of the vulnerabilities will be released in a paper on Tuesday at 7 am UTC (3 am Eastern, midnight Pacific time).

Stay Tuned to The Hacker News for further details on the vulnerabilities.
"The State is a body of armed men."

Offline Palloy2

  • Administrator
  • Sous Chef
  • *****
  • Posts: 6096
    • View Profile
    • Palloy's Blog
Re: Critical bug in PGP interface
« Reply #1 on: May 15, 2018, 02:47:19 PM »
More on how its done at https://thehackernews.com/2018/05/efail-pgp-email-encryption.html

Essentially the attacker has to get a copy of the encrypted email, modify it, and send it to you again.  The  email will then cause the process to go to the attacker's server for an object (for example an image) with the name "Unencrypted Text.jpg".
This is a pretty sophistcated attack, but quite doable for NSA.  For a full (uncopyable) list of apps involved, go to the site.
"The State is a body of armed men."

 

Related Topics

  Subject / Started by Replies Last post
0 Replies
246 Views
Last post September 23, 2016, 02:00:13 PM
by Palloy
1 Replies
412 Views
Last post February 08, 2017, 01:17:49 PM
by Palloy2
0 Replies
137 Views
Last post June 28, 2017, 03:29:18 PM
by Palloy2