[colug-432] GPG/PGP vulnerability
Rick Hornsby
richardjhornsby at gmail.com
Mon May 14 17:26:16 EDT 2018
On May 14, 2018 at 1:29:07 PM, Judd Montgomery (judd at engineer.com) wrote:
I know a few of us on the list use GPG for email.
https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0
I think there’s an easy solution — turn off HTML in your email client? At
the very least don’t allow external content to load? That would ostensibly
stop the outbound call to the remote server that carries with it the
exfiltrating data.
I guess the advice to stop using PGP/GPG is because both ends would have to
do this to mitigate the risk of compromise?
I understand sort of why they’re focusing on PGP/GPG, but that doesn’t seem
like the problem. In the second scenario with the missing integrity checks,
there’s a good argument to be made for a weakness. Otherwise, this seems
like an email client misbehaving.
(On a related note, if you have external content (usually images)
automatically loading in your email client, you should know that you are
being tracked. The sender, or their list manager proxy, knows when you open
the email without requiring the affirmative action of something like a read
receipt. When possible I keep auto-loading of external content
intentionally turned off because of this. I also avoid opening messages I
know will have trackers on my iOS devices, because that client doesn’t have
the remote content off option.)
When HTML first started to be made a thing all those years ago — thank you
Microsoft Outlook for all the pink Comic Sans — I complained to anyone who
would listen that it was a terrible idea and that HTML did not belong in
email. Obviously, I lost that argument windmills being what they are.
Moving forward, we’ve known about these sort of drive-by attacks ever since
malicious actors made Internet Explorer their … tool.
It feels like we’re dealing with the same thing. Unless GPG has some kind
of code exploitation bug or built-in scripting engine that’s being abused,
I’m having difficulty finding fault with GPG here.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20180514/be77c07c/attachment.html
More information about the colug-432
mailing list