LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 05-14-2018, 05:48 PM   #1
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: High Sierra
Posts: 9,096
Blog Entries: 37

Rep: Reputation: Disabled
PGP Vulnerability Pre-announced By Security Researcher


Ouch.
https://hackaday.com/2018/05/14/pgp-...ty-researcher/
 
Old 05-14-2018, 07:31 PM   #2
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,362

Rep: Reputation: 1514Reputation: 1514Reputation: 1514Reputation: 1514Reputation: 1514Reputation: 1514Reputation: 1514Reputation: 1514Reputation: 1514Reputation: 1514Reputation: 1514
https://lists.gnupg.org/pipermail/gn...ay/060334.html


Quote:
An Official Statement on New Claimed Vulnerabilities
== ======== ========= == === ======= ===============
by the GnuPG and Gpg4Win teams

(This statement is only about the susceptibility of OpenPGP, GnuPG, and
Gpg4Win. It does not cover S/MIME.)

Recently some security researchers published a paper named "Efail:
Breaking S/MIME and OpenPGP Encryption using Exfiltration Channels".
The EFF has gone so far as to recommend immediately uninstalling
Enigmail. We have three things to say, and then we're going to show you
why we're right.

1. This paper is misnamed.

2. This attack targets buggy email clients.

3. The authors made a list of buggy email clients.

[...]


The authors have done the community a good service by cataloguing buggy
email email clients. We're grateful to them for that. We do wish,
though, this thing had been handled with a little less hype. A whole
lot of people got scared, and over very little.
 
Old 05-14-2018, 08:35 PM   #3
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mageia, and whatever VMs I happen to be playing with
Posts: 13,819
Blog Entries: 24

Rep: Reputation: 3682Reputation: 3682Reputation: 3682Reputation: 3682Reputation: 3682Reputation: 3682Reputation: 3682Reputation: 3682Reputation: 3682Reputation: 3682Reputation: 3682
From Bruce Schneier: https://www.schneier.com/blog/archiv...s_on_a_ne.html
 
Old 05-15-2018, 04:18 PM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: High Sierra
Posts: 9,096
Blog Entries: 37

Original Poster
Rep: Reputation: Disabled
Like who's gonna second guess Phil Zimmerman's code?
 
Old 05-29-2018, 03:17 AM   #5
Michael Uplawski
Member
 
Registered: Dec 2015
Location: Normandy, France
Distribution: Debian buster/sid
Posts: 668
Blog Entries: 20

Rep: Reputation: 418Reputation: 418Reputation: 418Reputation: 418Reputation: 418
Quote:
Originally Posted by frankbell View Post
The comments to this blog entry are as important as the post itself.

Quote:
Bruce Schneier May 14, 2018 4:01 PM

@ lisaev:

"Bruce, please don't spread misinformation. There are no bugs in PGP, only in email clients mishandling warnings from GnuPG."

Agreed. I believe I said that this is not a bug in PGP. That is what I meant to say here: "The vulnerability isn't with PGP or S/MIME itself, but in the way they interact with modern e-mail programs."
Handle incoming HTML-mail as you should. Again, the responsibility is with the user, not the software.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Researcher unveils second Samsung Pay vulnerability LXer Syndicated Linux News 0 10-19-2016 03:12 PM
LXer: Security researcher arrested for disclosing US election website vulnerabilities LXer Syndicated Linux News 0 05-10-2016 02:46 AM
AirTight Security Researcher Uncovers Wi-Fi Vulnerability in WPA2 win32sux Linux - Security 5 08-03-2010 01:52 AM
LXer: Security Researcher to release Cisco rootkit at EUSecWest LXer Syndicated Linux News 0 05-16-2008 11:50 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 10:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration