Monday, May 14, 2018
PGP Vulnerability ?
What You Need to Know About E-Fail and the PGP Flaw
A group of researchers released a paper today that describes a new class of serious vulnerabilities in PGP (including GPG), the most popular email encryption standard. The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim’s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim. The proof of concept is only one implementation of this new type of attack, and variants may follow in the coming days.
EFF is advising PGP users to pause in their use PGP and seek other modes of secure end-to-end communication for now.
--
ProtonMail has stated that it is safe against the efail PGP vulnerability. The real vulnerability is implementation errors in various PGP clients. PGP (and OpenPGP) is fine. Any service that uses our @openpgpjs library is also safe as long the default settings aren't changed. It is not correct to call Efail a new vulnerability in PGP and S/MIME. The root issue has been known since 2001. The real issue is that some clients that support PGP were not aware for 17 years and did not perform the appropriate mitigation. Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the story to @EFF and mainstream media and getting an irresponsible recommendation published (disable PGP), ignoring the fact that many (Enigmail, etc) are already patched.
--
The research paper discussing the PGP vulnerability is available at: https://efail.de/efail-attack-paper.pdf
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.