Hi,
This morning we were alerted about a new PGP vulnerability.
English:
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
Dutch:
https://tweakers.net/nieuws/138557/onderzoekers-stop-direct-met-gebruik-pgp-vanwege-lekken.html
Hi,
I have written a short blog article on EFAIL.
https://www.ciphermail.com/blog/efail-who-is-vulnerable-pgp-smime-or-your-mail-client.html
Kind regards,
Martijn Brinkers
On 14-05-18 14:40, CipherMail via Users wrote:
Hi,
This morning we were alerted about a new PGP vulnerability.
English:
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-nowDutch:
https://tweakers.net/nieuws/138557/onderzoekers-stop-direct-met-gebruik-pgp-vanwege-lekken.html
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.
Twitter: http://twitter.com/CipherMail
Zitat von Martijn Brinkers via Users <users(a)lists.djigzo.com>:
Hi,
I have written a short blog article on EFAIL.
https://www.ciphermail.com/blog/efail-who-is-vulnerable-pgp-smime-or-your-mail-client.html
Kind regards,
Martijn Brinkers
Hi,
This morning we were alerted about a new PGP vulnerability.
English:
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now Dutch:
https://tweakers.net/nieuws/138557/onderzoekers-stop-direct-met-gebruik-pgp-vanwege-lekken.html
What might be a secure fallback is to get a setting for ciphermail to
only decrypt valid signed e-mail and simply pass it along if there is
no signature or invalid signed. This could be a setting for the
security aware operator in the spirit of "better safe than sorry", no?
This will prevent ciphermail from using the decryption key in cases
where the user might get tricked to trust the sender otherwise.
Regards
Andreas
On 14-05-18 14:40, CipherMail via Users wrote:
That might work but I do not know how often email is encrypted and not
signed. Also in theory the attacker should be able to generate a signed
message (although I think this is not feasible in practice).
I have written a short article on how you can detect whether a decrypted
email was misused for EFAIL (see other email to mailing list).
Kind regards,
Martijn Brinkers
On 15-05-18 12:06, Andi via Users wrote:
Zitat von Martijn Brinkers via Users <users(a)lists.djigzo.com>:
Hi,
I have written a short blog article on EFAIL.
https://www.ciphermail.com/blog/efail-who-is-vulnerable-pgp-smime-or-your-mail-client.html
Kind regards,
Martijn Brinkers
On 14-05-18 14:40, CipherMail via Users wrote:
Hi,
This morning we were alerted about a new PGP vulnerability.
English:
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
Dutch:
https://tweakers.net/nieuws/138557/onderzoekers-stop-direct-met-gebruik-pgp-vanwege-lekken.htmlWhat might be a secure fallback is to get a setting for ciphermail to
only decrypt valid signed e-mail and simply pass it along if there is no
signature or invalid signed. This could be a setting for the security
aware operator in the spirit of "better safe than sorry", no?This will prevent ciphermail from using the decryption key in cases
where the user might get tricked to trust the sender otherwise.
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.
Twitter: http://twitter.com/CipherMail