efail

2018-05-15 07:41 am
mdlbear: (technonerdmonster)
[personal profile] mdlbear

If your mail client automatically decrypts mail, read this!

There's no need to panic, but you should immediately disable and/or uninstall plugins that automatically decrypt PGP-encrypted or S/MIME email. The linked article tells you how.

The vulnerability is called EFAIL (the obligatory website with clever name), and allows an attacker to read your encrypted email, in effect "over your shoulder", by sending you a modified version of the encrypted message. They can do this by evesdropping, compromising an email account or server, etc. The attack is based on the way active content, such as images, is handled in HTML email.

Short term: No decryption in email client. The best way to prevent EFAIL attacks is to only decrypt S/MIME or PGP emails in a separate application outside of your email client. Start by removing your S/MIME and PGP private keys from your email client, then decrypt incoming encrypted emails by copy&pasting the ciphertext into a separate application that does the decryption for you. That way, the email clients cannot open exfiltration channels. This is currently the safest option with the downside that the process gets more involved.

Short term: Disable HTML rendering. The EFAIL attacks abuse active content, mostly in the form of HTML images, styles, etc. Disabling the presentation of incoming HTML emails in your email client will close the most prominent way of attacking EFAIL. Note that there are other possible backchannels in email clients which are not related to HTML but these are more difficult to exploit.

Links below:

  @ EFAIL Paper [PDF]
  @ Critical PGP and S/MIME bugs can reveal encrypted emails—uninstall now [Updated]
  @ Attention PGP Users: New Vulnerabilities Require You To Take Action Now | EFF
  @ Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw | EFF

This has been a public service announcement from The Computer Curmudgeon.

Date: 2018-05-15 06:28 pm (UTC)
madfilkentist: Photo of Carl (Default)
From: [personal profile] madfilkentist
This just adds to the reasons why HTML mail is wrong.

Date: 2018-05-15 07:54 pm (UTC)
archangelbeth: An anthropomorphic feline face, with feathered wing ears, and glasses, in shades of gray. (Default)
From: [personal profile] archangelbeth
AMEN.

Date: 2018-05-16 01:41 am (UTC)
lemon_badgeress: basket of lemons, with one cut lemon being decorative (Default)
From: [personal profile] lemon_badgeress
I’m sorry, but I literally do not understand a word of this or any of the links. If it’s not too much bother—I use gmail. What do I need to do?

(Stop is not a possible answer for me)

Date: 2018-05-16 03:40 am (UTC)
lemon_badgeress: basket of lemons, with one cut lemon being decorative (Default)
From: [personal profile] lemon_badgeress
That's a huge relief! Thank you!

Date: 2018-05-16 09:53 am (UTC)
madfilkentist: Photo of Carl (Default)
From: [personal profile] madfilkentist
Where "safe" means "People have been able to snoop your mail all along," of course.

Date: 2018-05-17 01:12 am (UTC)
thnidu: an elegant ligature, or monogram if you will, of the letters "wtf". lj:wordweaverlynn, from typophile.com (WTF)
From: [personal profile] thnidu
Similarly for me, including gmail. I understand "encrypted mail" & "private key" in theory, but AFAIK I don't have anything using them.

Most Popular Tags

Style Credit

Page generated 2019-04-22 03:04 pm
Powered by Dreamwidth Studios