<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(0,0,0)">> Oh ya, this all could have been avoided if people stopped using HTML in emails and HTML-capable MUAs. <GRIN><br> <br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(0,0,0)">Oh come now (grin or no grin)! That would take us back to the textual-content-only era that was already ending by about 1995. Non-textual content and good looks in e-mail do matter in 2018!<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(0,0,0)"> <br clear="all"></div><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font size="2"><span style="font-family:verdana,sans-serif">Hartmut W Sager - Tel +1-204-339-8331, +1-204-515-1701, +1-204-515-1700, +1-810-471-4600<br></span></font><br></div></div></div></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, 14 May 2018 at 23:24, Trevor Cordes <<a href="mailto:trevor@tecnopolis.ca">trevor@tecnopolis.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><a href="https://www.eff.org/deeplinks/2018/05/pgp-and-efail-frequently-asked-questions" rel="noreferrer" target="_blank">https://www.eff.org/deeplinks/2018/05/pgp-and-efail-frequently-asked-questions</a><br>
<a href="https://efail.de/efail-attack-paper.pdf" rel="noreferrer" target="_blank">https://efail.de/efail-attack-paper.pdf</a><br>
<br>
Nasty year for security 2018 is turning out to be.<br>
<br>
Newly announced flaw in PGP/GPG when used for email that lets remote<br>
hackers get copies of your encrypted emails (whether sender or<br>
recipient). Many (most?) email clients (MUAs) are not patched yet (but<br>
the Linux ones should be shortly).<br>
<br>
The encryption itself isn't broken, it's the way email clients and<br>
their html parsers work that is being abused. For the hack to work<br>
you have to use a vulnerable email client that has builtin html<br>
support (most do, but mine doesn't, yay!) and the attacker has to<br>
intercept an encrypted email for/from you and then send it to you<br>
wrapped in some naughty html. Your email client then decrypts the<br>
email and the naughty html promptly sends a copy to the attacker via<br>
backchannels (getvars or similar in img tags hitting hacker servers).<br>
<br>
To be clear, they can only use this hack to read emails they've already<br>
intercepted and tricked you into opening in your HTML MUA.<br>
<br>
If you use GPG from the command line you're basically safe. It's still<br>
good encryption (with a caveat about integrity checks that won't affect<br>
most use cases). GPG used for package signing, etc, is still safe.<br>
GPG used for local file encryption is safe.<br>
<br>
To be safe for email, update your MUA when it patches this, and ensure<br>
all your contacts you PGP/GPG with do the same. Unlike Spectre et al,<br>
this one is fairly easy to fix assuming most people do it in a<br>
reasonable amount of time (ya, I know).<br>
<br>
Strangely, EFF recommends people phase our PGP/GPG email and have no<br>
real recommended drop-in replacement. I find this odd, as to me *some*<br>
emails being hackable certainly beats *all* emails being hackable (i.e.<br>
plaintext) which is basically what they are advocating.<br>
<br>
Oh ya, this all could have been avoided if people stopped using HTML in<br>
emails and HTML-capable MUAs. <GRIN><br>
_______________________________________________<br>
Roundtable mailing list<br>
<a href="mailto:Roundtable@muug.ca" target="_blank">Roundtable@muug.ca</a><br>
<a href="https://muug.ca/mailman/listinfo/roundtable" rel="noreferrer" target="_blank">https://muug.ca/mailman/listinfo/roundtable</a><br>
</blockquote></div></div>