Researchers Discover Vulnerabilities in PGP/GPG Email Encryption Plugins, Users Advised to Avoid for Now

Discussion in 'MacRumors.com News Discussion' started by MacRumors, May 14, 2018.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    A warning has been issued by European security researchers about critical vulnerabilities discovered in PGP/GPG and S/MIME email encryption software that could reveal the plaintext of encrypted emails, including encrypted messages sent in the past.

    [​IMG]

    The alert was put out late on Sunday night by professor of computer security Sebastian Schinzel. A joint research paper, due to be published tomorrow at 07:00 a.m. UTC (3:00 a.m. Eastern Time, 12:00 am Pacific) promises to offer a thorough explanation of the vulnerabilities, for which there are currently no reliable fixes.


    Details remain vague about the so-called "Efail" exploit, but it appears to involve an attack vector on the encryption implementation in the client software as it processes HTML, rather than a vulnerability in the encryption method itself. A blog post published late Sunday night by the Electronic Frontier Foundation said:
    In the meantime, users of PGP/GPG and S/MIME are being advised to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email, and seek alternative end-to-end encrypted channels such as Signal to send and receive sensitive content.

    Update: The GPGTools/GPGMail team has posted a temporary workaround against the vulnerability, while MacRumors has compiled a separate guide to removing the popular open source plugin for Apple Mail until a fix for the vulnerability is released. Other popular affected clients include Mozilla Thunderbird with Enigmail and Microsoft Outlook with GPG4win. Click the links for EFF's uninstall steps.

    Article Link: Researchers Discover Vulnerabilities in PGP/GPG Email Encryption Plugins, Users Advised to Avoid for Now
     
  2. rodpascoe macrumors regular

    rodpascoe

    Joined:
    Jun 19, 2006
    Location:
    Truro, Cornwall
  3. flyinmac macrumors 68040

    flyinmac

    Joined:
    Sep 2, 2006
    Location:
    United States
    #3
    Hmm.... security protocol creates a vulnerability. To protect yourself, stop encrypting your emails???

    Interesting.
     
  4. SteveJUAE macrumors 68020

    SteveJUAE

    Joined:
    Aug 14, 2015
    Location:
    Land of Smiles
    #4
    Hope the alert was not sent by email LOL
     
  5. rturner2 macrumors 6502a

    Joined:
    Jul 18, 2009
  6. arekm macrumors newbie

    Joined:
    Jan 8, 2014
    #6
  7. flyinmac macrumors 68040

    flyinmac

    Joined:
    Sep 2, 2006
    Location:
    United States
    #7
    Going back to using birds to deliver my messages. Considered pigeons... but I want a bird that can shred anyone who tries to intercept my message. Decided on Hawks.
     
  8. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #8
    I work for a company that had done something similar. Send out an email stating that email was down. Of course we didn't see that notice until they resolved the problem. :p
    --- Post Merged, May 14, 2018 ---
    From what I've read, it's a bug in PGP, not mail
     
  9. Detektiv-Pinky macrumors 6502a

    Detektiv-Pinky

    Joined:
    Feb 25, 2006
    Location:
    Berlin, Germany
    #9
    I heard differently. It is supposedly a bug affecting any kind of Email encryption using MIME and automatically loading remote content. Also the in-build S/MIME encryption is at risk.
     
  10. HobeSoundDarryl macrumors 604

    HobeSoundDarryl

    Joined:
    Feb 8, 2004
    Location:
    Hobe Sound, FL (20 miles north of Palm Beach)
    #10
    Beware the Avian Pox https://tvmdl.tamu.edu/2018/03/27/hawk-diagnosed-with-avian-pox/ , Avian Flu: http://www.cidrap.umn.edu/news-pers...king-big-toll-iowa-virus-found-minnesota-hawk and West Nile: https://www.countynewscenter.com/hawk-tests-positive-for-west-nile-virus-protect-against-mosquitoes/

    American Indian smoke signals anyone?

    Encrypted by only using them in heavy fog?

    ;)
     
  11. simonmet macrumors 68000

    simonmet

    Joined:
    Sep 9, 2012
    Location:
    Sydney
    #11
    I swear half the time these vulnerabilities are by design. It just seems like everything will at some point have a security vulnerability of some form or other.
     
  12. whooleytoo macrumors 604

    whooleytoo

    Joined:
    Aug 2, 2002
    Location:
    Cork, Ireland.
    #12
    Exactly my reaction. "Some of your emails may be insecure. So remove this software so that they're all insecure." ??

    (Bigger question - why the hell are we still using insecure, spam-tastic email? It's astonishing that no mainstream secure alternative, with disposable addresses has really gained much traction.)

    I remember going through an exhaustive security audit for a client (covering hosting, backup policy, security policies, incident management etc.) as they were sending us personal user information. Once we passed, they emailed it to us.... o_O
     
  13. Unregistered 4U macrumors 6502

    Joined:
    Jul 22, 2002
    #13
    Same that I read. Essentially, if you already have the viewing of remote images turned off (which I did awhile ago), then this doesn't work when you read the email. You'd have to read the email THEN click "load images".
     
  14. belvdr macrumors 603

    Joined:
    Aug 15, 2005
    Location:
    No longer logging into MR
    #14
    It's a problem in the mail user agent (MUA), not PGP/GPG. From the mailing list:

    https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html

    It also appears that some versions of OpenPGP already use authenticated encryption. From what I'm reading, this is a really old bug that many wanted to get fixed, but the MUAs fail to fix it.
     
  15. H3LL5P4WN macrumors 68000

    H3LL5P4WN

    Joined:
    Jun 19, 2010
    Location:
    Pittsburgh PA
    #15
    Yeah, cause the EFF would totally benefit from telling people who's lives may depend on encryption to stop using encryption.
     
  16. apolloa macrumors G4

    Joined:
    Oct 21, 2008
    Location:
    Time, because it rules EVERYTHING!
    #16
    The story is confusing on here...

    So is it Mac Mail that’s at fault? Or a plug-in you have to have installed yourself?
     
  17. allpar macrumors 6502

    allpar

    Joined:
    May 20, 2002
    #17
    So basically, if I send emails without html, all is OK for the moment?

    (Sure looks that way! -> “"Efail": as a temporary workaround against "efail" (https://efail.de ), disable "Load remote content in messages" in Mail → Preferences → Viewing. GPG Suite 2018.2 which mitigates against this attack is coming very soon.”)
     
  18. KidPub macrumors member

    Joined:
    Dec 8, 2009
    Location:
    Near Boston MA
    #18
    @ProtonMail is claiming that the Enigmail plugin for Thunderbird has been patched for this for months...presumably ProtonMail's client is fine, too. I agree with @BrianKrebs that this is really irresponsible by @eff (am EFF member).
     
  19. vegetassj4 macrumors regular

    vegetassj4

    Joined:
    Oct 16, 2014
    #19
    So, files encrypted outside of mail plugins are still safe?
     
  20. manu chao macrumors 603

    Joined:
    Jul 30, 2003
    #20
    Modern encryption requires that your public key is send to the person wanting to send you an encrypted message. That is usually achieved via a central server. Even PGP uses a central key server (though one is not required to use it). The next task for any messaging service is assign 'addresses'. With email that is done via domain names (of your email provider) but whether your message is really delivered to the right person depends on the domain holder to correctly distribute things to their subdomains (aka email addresses). With Signal, the addressing is done via a phone number (which relies on the phone companies to deliver to the correct device).

    Both aspects, delivering the correct public key and sending the message to the correct user rely on trust in the central servers holding the keys and distributing the messages. In an open system (like email where addresses are created by acquiring a domain name, which anybody can do, and distributing subdomains or mobile phone numbers where a huge number of carriers exist with many more mobile virtual network operators on top), you are only as secure as you can trust every individual actor.

    With iMessage you trust Apple that you public key is delivered without tampering to the sender of a message to you. Ditto with Whatsapp and Facebook. Signal, Telegram, Line, WeChat all have central servers for that. With open systems like email, you rely on every email provider to not be tampering.
     
  21. Ted13 macrumors 6502a

    Joined:
    Dec 29, 2003
    Location:
    NYC
    #21
    My view - use iMessage, FaceTime or Signal for reliable encrypted communication. If you want to send a long letter, type it up in Pages or Word or ... and then attach it to an iMessage. It will be end to end encrypted for you.

    Think of email as sending a postcard - cute but zero privacy.
     
  22. Janichsan macrumors 68000

    Janichsan

    Joined:
    Oct 23, 2006
    #22
    The guy is professor at one of the local universities here in Münster, so no "pseudo research team". The wording is still alarmistic and the tip to disable encryption as alternative to unsafe encryption is still somewhat idiotic.

    PGP/GPG is a plug-in, but S/MIME is a built-in encryption mechanism. And yes, apparently even the vulnerability of PGP/GPG is Mail's fault.
     
  23. Dave-Z macrumors 6502a

    Joined:
    Jun 26, 2012
    #23
    Use of S/MIME or GPG effectively makes email end-to-end encrypted, just like the methods you mentioned. From a technical perspective, these work very similiarly.

    Yes, perhaps there's a vulnerability in this implementation, but once it's fixed continuing to use these methods is really quite secure.
     
  24. lkrupp macrumors 6502a

    Joined:
    Jul 24, 2004
    #24
    From what I’ve read it’s both. A bug in PGP and a flaw in how Mail handles HTML rendering that allows the PGP bug to do its dirty work. And Mail is not the only email client affected, and macOS is not the only platform either. And this sounds like something useful only to state operators targeting specific individuals or corporations. For those paranoids who encrypt their emails to grandma just because, well, that’s a different kind of problem.
     
  25. Sasparilla macrumors 65816

    Joined:
    Jul 6, 2012
    #25
    The workaround is to uncheck "Load Remote Content In Messages" from the Viewing preferences in Mail.

    If you care at all about security this shouldn't be checked in the first place (cause you don't want to be auto-loading all HTML email's and their potential security holes, you should just be auto-loading things as plain text from a security perspective).

    Fix is coming soon according to the GPGtools folks, perhaps folks are over-reacting?
     

Share This Page