PGP and S/MIME vulnerabilities found

https://lists.gnupg.org/pipermail/gn...ay/060315.html
Has the complete dope. Read the entire chain. Surprising that the authors of the research didn’t adequately communicate with the GPG/PGP Team beforehand.

I suspect the patch will be out shortly.

From my POV a simple solution is to replace the / in a link with # before you send it. This will prevent the email client from automatically attempting to display the remote HTML page. The recipient can decide if the want to reverse the switch and open the link with a browser running in a sandbox like firejail.

GnuPG gives an MDA warning but the encryption plugins don’t honor it.

Couple more links: https://efail.de/

https://www.eff.org/deeplinks/2018/0...and-pgp-flaw-0

That source claims that KMail and ProtonMail, among others, are not affected by this bug. Other sources I've read state that they are.

Posting this partial reveal today and reserving the full reveal for tomorrow, without having adequately informed GPG, GnuGP and PGP is irresponsible and smacks of strutting on stage for personal glory, IMO. "Look at us, look at what WE found!". Then being coy and stating that their Tweets were "carefully crafted" when asked to elaborate on specifics the user could take to mitigate the danger until tomorrow? Shame on them!

Walter Koch, creator of GnuGP, has a thread on this announcement. Following the thread through to the last msg is very informative:
https://lists.gnupg.org/pipermail/gn...ay/060315.html

The first is very informative and describes the MDC (Modification detection code), and how it works and how some email clients ignore the warnings.

For those who are not aware: PGP was released in 1991 by Phil Zimmerman as a proprietary tool. He left PGP in 1997 when he released the open sourced OpenPGP. Meanwhile, PGP changed hands several times over the years until 2010, when Symantec bought it. In 1999 Walter Koch released the open sourced GnuGP as an alternative to PGP before Symantec bought it. The OpenPGP standards was established by the IETF so that it would be interoperable with Symantec's PGP tools as well as OpenPGP standards. Therefore, PGP, GnuPG and OpenPGP can open and unencrypt any OpenPGP standards file.

Personally, I've tried encryption on KMail in the past just to see how it works, and it worked beautifully. But, it only works if you keep the key you used to decrypt the email. If you revoke it or lose it and create and install another key then those previously encrypted emails aren't decrypted when you next try to see them. I stopped encrypting or signing my emails a couple years ago, primarily because I never send what I'd consider to be very private info: SSN, CC#, etc., by email, and encrypting ordinary email is, for me, a waste of CPU cycles.

Another view of the PGP email problem:
https://www.securitynow.com/author.a...&doc_id=743111