Researchers have warned about a vulnerability on PGP through twitter with promising full disclosure two days after. They made quite strong claim and warning against using any PGP encryption in mail clients.
And even the EFF got into this with the same warnings:
It seems to me that there actual venerability has less to do with the protocol and more with badly made clients. Both the protonmail and the GNUPG guys make a very solid case on that respect. And the actual paper disclosed later seems to give the same idea:
This really looks me me like a case where a researches try to create hype around his work by exaggeration through twitter. And when even the EFF falls into the hype bandwagon then you really have good potential for misinformation. When there is so much information the impression tends to be more lasting than the details. This is somewhat of a worrying trend on reporting vulnerabilities. What do you think?
I haven’t used PGP, by I imagine it is important for those who need it, i.e. reporters, sources, whistleblowers and dissidents…
So stopping the use of clients for now until sorted is a good thing?
The hype is probably more a result of the social media affect-click bait raising researcher’s profile, to gain some profit from their work for the short news cycle that it lasts?
Yep, not a big deal. Not a vulnerability in the encryption itself, and this won’t expose all the email you sent over the past 20 years or anything. It’s just the HTML renderer implementation in a number of clients, and exploiting it requires a man-in-the-middle attack and the victim to decrypt and display the modified email content. Turn off HTML rendering for a week until they patch it.
Are you sure?
( How do you think about S-MIME in general? I got a certificate from COMODO, had to download the exe program for creation. IDK about it’s security since it was linked specifically to my key-application on the page. So, they could know the private key before ‘creation’, can’t they. )
The real concern, as Green pointed out, is S/MIME, which is used by private corporations and government entities across the globe.
“It’s an extremely cool attack and kind of a masterpiece in exploiting bad crypto, combined with a whole lot of sloppiness on the part of mail client developers,” Green explained.
In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation.
Attacking and modifying encrypted email stored on servers could actually happen, so this is a big deal