Re: #eFail is #reFail

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/plain)
Delete this message
Reply to this message
Author: der.hans
Date:  
To: Main PLUG discussion list
Subject: Re: #eFail is #reFail
Am 15. May, 2018 schwätzte Herminio Hernandez, Jr. so:

moin moin,

> Any thought on this response from the GnuPG
> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html


Here's a timeline of GnuPG's interaction with the Efail group starting in
November.

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060320.html

The EFF is pointing out that while your client might be safe, your
message might not due to the other person's mail client.

----
While you may not be directly affected, the other participants in your
encrypted conversations are likely to be. For this attack, it isn’t
important whether the sender or the receiver of the original secret
message is targeted. This is because a PGP message is encrypted to both of
their keys.
----

https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0

Not sure how the EFF has data to suggest that most people who actively use
OpenPGP to encrypt messages are also using susceptible clients with bad
configurations...

The suggestion of using offline decryption tools for PGP doesn't fix that
problem any more than getting people to use safe email clients with safe
configurations.

I will agree that many people will want insecure convenience
features. Let's use the list from mailpile.

https://www.mailpile.is/blog/2018-05-14_PGP_Security_Alert.html

1. Mailpile does not display HTML content by default

2. Before displaying HTML, Mailpile cleans up malformed and incomplete
tags.

3. When displaying HTML, Mailpile does not load remote content by
default.

4. Mailpile respects the GnuPG error messages which warn of invalid data.

5. Mailpile never sends auto-replies to incoming mail.

I predict most people aren't going to stop using HTML email. If they were
really serious about security they would already be avoiding HTML email.

Mail clients should be doing 2, 4 and 5. Those greatly reduce the danger
of 1.

3 should be the default, but some people likely want remote content
to just work. There should definitely be a configuration option to do
forbid loading remote content without user interaction. Can there be
a configuration option to disable HTML and remote content loading for
OpenPGP encrypted emails?

Additionally, email clients should not allow JavaScript.

ciao,

der.hans

> On Mon, May 14, 2018 at 9:21 PM, Matthew Crews <>
> wrote:
>
>> Never been a fan of HTML emails anyway. Its too bad that most websites
>> that have email communications insist on emailing you with HTML.
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>


--
# https://www.LuftHans.com https://www.PhxLinux.org
# "It is a miracle that curiosity survives formal education."
# -- Albert Einstein
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss