Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Octavio Alvarez]

On 05/15/2018 04:34 AM, Rich Kulawiec wrote:
> On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote:
>> TL;DR = Don't use HTML email [snip]
> 
> That's enough right there.  HTML markup in email is used exclusively
> by three kinds of people: (1) ignorant newbies who don't know any
> better (2) ineducable morons who refuse to learn (3) spammers.
> There are no exceptions.
There is a need for rich-text these days. What is your proposal?

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Rich Kulawiec]

On Tue, May 15, 2018 at 10:42:31AM +0100, Brandon Butterworth wrote:
> and phishers/exploiters. HTML markup in email is used exclusively
> by four kinds of people 

I'll accept that as a friendly amendment. ;)

It is -- to Brian Kantor's point elsewhere in the thread -- very
unfortunate that many banks and financial institutions have spent much
of the past couple of decades assiduously training their customers to
be phish victims.  Some of them, including a very well-known, very
large company I'm communicating with at the moment, have compounded
that blunder by handing over lists of the email addresses of all their
customers to third parties, thus making it vastly easier for phishers
to get their hands on them.

(If the latter isn't clear, consider: suppose you were in the professional
phishing business.  "professional" as in doing it competently, not sending
messages full of fractured syntax.  Can you think of some places where you
would like to have one of your employees positioned?  How about some place
that handles customer email data for *many* banks/financial institutions?
One-stop shopping, as it were.  No need to get people into 27 different
operations when all you need to do is get one person into one.  And, most
likely, every one of those 27 has done you the favor of knocking themselves
out to make their customers vulnerable to you.  You're welcome.)

---rsk

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Daniel Corbe]

On 5/15/2018 05:59, Brian Kantor wrote:
> 
> I imagine some fool told them this improves security, and they were
> stupid enough to believe it.
>   - Brian
> 

It's a bit simpler than that.   Too many people are dazzled by polished
presentations.   It's a sad fact of life that there are way too many
people walking around that are distracted by shiny things.

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Mark Rousell]

On 15/05/2018 10:34, Rich Kulawiec wrote:
> On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote:
>> TL;DR = Don't use HTML email [snip]
> 
> That's enough right there.  HTML markup in email is used exclusively
> by three kinds of people: (1) ignorant newbies who don't know any
> better (2) ineducable morons who refuse to learn (3) spammers.
> There are no exceptions.
> 
> ---rsk

If only life were so simple.

I used to be a resolute user of plain text-only email. It was good
enough for me.

And then I realised how absurdly old fashioned this appeared to my
clients. I'd send them emails explaining what I was going to do or about
the new product or service, and it just looked boring and backward. I
realised that I could no longer stick to plain text: It was actually
harming my business.

The world has moved on and rich content everywhere is now a must. It's
no longer optional (although of course it depends on with whom one
communicates).

Yes, you can blame this on "ignorant newbies who don't know any better"
but bear in mind that they are now the vast majority of users. They are
the ones ultimately paying the bills and we have to adapt to their
preferences, and not them to us.



P.S. And I agree with Suresh in the previous message. It is true that
there is a real problem here (more with S/MIME than PGP/GPG in practice)
but it's being hyped up and overblown. The content does not fully
support the headlines.


-- 
Mark Rousell

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[~]

Embargo has been broken. Here's the full details: https://efail.de

(h/t Martjin Grooten)

On Mon, 14 May 2018, 09:19 Suresh Ramasubramanian, 
wrote:

> Seems to be a set of MUA bugs that are being overblown and hyped up.
>
> TL;DR = Don't use HTML email with some mail clients when sending pgp
> encrypted mail.
>
> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
>
> --srs
>
> On 14/05/18, 1:15 PM, "NANOG on behalf of George William Herbert" <
> nanog-boun...@nanog.org on behalf of george.herb...@gmail.com> wrote:
>
>
> This is likely bad enough operators need to pay attention.
>
> @seecurity tweeted:
>
> "We'll publish critical vulnerabilities in PGP/GPG and S/MIME email
> encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of
> encrypted emails, including encrypted emails sent in the past. #efail 1/4"
>
> Thread starts here:
> https://twitter.com/seecurity/status/995906576170053633?s=21
>
> I have no particular insight into what it is other than presuming from
> thread that decryption can be tricked to do bad things.
>
> They recommend temporary disabling downthread:
>
> "There are currently no reliable fixes for the vulnerability. If you
> use PGP/GPG or S/MIME for very sensitive communication, you should disable
> it in your email client for now. Also read @EFF’s blog post on this issue:
> eff.org/deeplinks/2018… #efail 2/4"
>
> -george
>
> Sent from my iPhone
>
>
>

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Hunter Fuller]

On Tue, May 15, 2018 at 2:31 PM Alan Buxey  wrote:

> real ones
>

Ah, the classic "no true Scotsman." I haven't seen one of these in a while.

I think the vast majority of HTML email use is due to "email formatting and
markup" being somewhere near the end of the priority list. I know that's
where it resides on mine.
-- 

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Alan Buxey]

real ones send such formulae as LaTeX attachments - where their recipients
can have a simple plugin to view/display it inline (then save to
edit/modify etc).
HTML is horrible for formula...but at least I guess a little better than MS
Word.

alan

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[bzs]

On May 15, 2018 at 05:34 r...@gsp.org (Rich Kulawiec) wrote:
 > On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote:
 > > TL;DR = Don't use HTML email [snip]
 > 
 > That's enough right there.  HTML markup in email is used exclusively
 > by three kinds of people: (1) ignorant newbies who don't know any
 > better (2) ineducable morons who refuse to learn (3) spammers.
 > There are no exceptions.

Thirty years ago we thought graphical and even interactive email would
soon be the cat's pajamas (or possibly the bee's knees.)

Now we live in a world of seemingly ever-shrinking and pessimistic
expectations -- ok perhaps that's overstating a little -- largely due
to security considerations.

Don't do that, you'll poke your eye out!

Admittedly I never send HTML email and mostly find it annoying when I
receive it, tho not always.

We need to figure out how to have our cake and eat it too, "the k00l
kidz don't use html email" won't accomplish much except maybe among
the k00l kidz.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[nanog]

On 05/15/2018 07:22 PM, Jim Shankland wrote:
> On 5/15/18 2:34 AM, Rich Kulawiec wrote:
>> On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote:
>>> TL;DR = Don't use HTML email [snip]
>> That's enough right there.  HTML markup in email is used exclusively
>> by three kinds of people: (1) ignorant newbies who don't know any
>> better (2) ineducable morons who refuse to learn (3) spammers.
>> There are no exceptions.
>>
> non-technical

She is a noob, thus the first :)

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Jim Shankland]

On 5/15/18 2:34 AM, Rich Kulawiec wrote:

On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote:

TL;DR = Don't use HTML email [snip]

That's enough right there.  HTML markup in email is used exclusively
by three kinds of people: (1) ignorant newbies who don't know any
better (2) ineducable morons who refuse to learn (3) spammers.
There are no exceptions.

Which category best describes my wonderful, intelligent (but decidedly 
non-technical), 84-year-old mother-in-law, who has been using email for 
a couple of decades (thus certainly not a "newbie"), and is definitely 
not a spammer. Do you have any advice for how I break it to her that 
she's an ineducable moron? You know, since there are no exceptions and all.


Jim

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Max Tulyev]

I did a lot. Centralized proprietary messenger with a lot of noise around.

Unlike for example clear p2p tox, federalized own jabber server, with
TOR to hide a metadata.

15.05.18 19:36, John Levine пише:
> In article <47acebac-7df1-0dbb-9584-27062a945...@netassist.ua> you write:
>> Really? Use extremely centralized closed source "solution"?
> 
> You might want to learn a little about Signal.
> 
> R's,
> John
> 
>>
>> LOL.
>>
>> 15.05.18 18:47, John Levine пише:
>>> In article <240538927.8145.1526388210820.JavaMail.mhammett@ThunderFuck> you 
>>> write:
 Encrypted e-mail is so incredibly niche, this won't affect almost 
 everyone. 
>>>
>>> Bruce Schneier's blog entry on this arcane buglet ended by saying that
>>> if you care about encryption use Signal or WhatsApp.
> 

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[John Levine]

In article <47acebac-7df1-0dbb-9584-27062a945...@netassist.ua> you write:
>Really? Use extremely centralized closed source "solution"?

You might want to learn a little about Signal.

R's,
John

>
>LOL.
>
>15.05.18 18:47, John Levine пише:
>> In article <240538927.8145.1526388210820.JavaMail.mhammett@ThunderFuck> you 
>> write:
>>> Encrypted e-mail is so incredibly niche, this won't affect almost everyone. 
>> 
>> Bruce Schneier's blog entry on this arcane buglet ended by saying that
>> if you care about encryption use Signal or WhatsApp.

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Bill Woodcock]

> On May 15, 2018, at 8:47 AM, John Levine  wrote:
> Bruce Schneier's blog entry ended by saying that
> if you care about encryption use Signal or WhatsApp.

I didn’t even.

-Bill



signature.asc
Description: Message signed with OpenPGP

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Max Tulyev]

Really? Use extremely centralized closed source "solution"?

LOL.

15.05.18 18:47, John Levine пише:
> In article <240538927.8145.1526388210820.JavaMail.mhammett@ThunderFuck> you 
> write:
>> Encrypted e-mail is so incredibly niche, this won't affect almost everyone. 
> 
> Bruce Schneier's blog entry on this arcane buglet ended by saying that
> if you care about encryption use Signal or WhatsApp.
> 
> R's,
> John
> 
> PS: I don't see any point in following up the discussion of HTML mail
> because it appears to have fallen through a wormhole from 15 years ago.
> 

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[John Levine]

In article <240538927.8145.1526388210820.JavaMail.mhammett@ThunderFuck> you 
write:
>Encrypted e-mail is so incredibly niche, this won't affect almost everyone. 

Bruce Schneier's blog entry on this arcane buglet ended by saying that
if you care about encryption use Signal or WhatsApp.

R's,
John

PS: I don't see any point in following up the discussion of HTML mail
because it appears to have fallen through a wormhole from 15 years ago.

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Rob McEwen]

On 5/15/2018 5:34 AM, Rich Kulawiec wrote:

That's enough right there.  HTML markup in email is used exclusively
by three kinds of people: (1) ignorant newbies who don't know any
better (2) ineducable morons who refuse to learn (3) spammers.
There are no exceptions.



For years, I was very disciplined about using plain-text only for my 
outbound messages... but then I got frustrated with seeing email I had 
posted (to lists like this) - come back with horribly bad line wrapping 
- that made for very choppy readability. (This may have been better or 
worse depending on which software or device I was reading it on?)


Then, when I switched to using my Thunderbird client's "plain and html" 
setting, that problem went away, and posts that I made didn't look like 
someone high on drugs typed them.


--
Rob McEwen
https://www.invaluement.com
 

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Stephen Satchell]

On 05/15/2018 02:34 AM, Rich Kulawiec wrote:

On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote:

TL;DR = Don't use HTML email [snip]


That's enough right there.  HTML markup in email is used exclusively
by three kinds of people: (1) ignorant newbies who don't know any
better (2) ineducable morons who refuse to learn (3) spammers.
There are no exceptions.


Yes, there are exceptions.  Particularly, chemists (and chemical 
engineers) and physicists who need to embed formulas into their e-mail. 
They use HTML because it's fast and easy, instead of using the preferred 
method of building a PDF and sending that.


(I had a long, unfruitful argument with my brother the chem engineer at 
the time my mail server rejected all incoming HTML mail.  I had to change.)


Another exception is that most webmail is HTML and plaintext in MIME format.

I get around the problem of triggering code in Thunderbird by only using 
the plain text view, dropping to "simplified HTML" view only when 
necessary, and only when I know the sender.

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Mike Hammett]

Do kids often go on your lawn as well? 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Rich Kulawiec" <r...@gsp.org> 
To: nanog@nanog.org 
Sent: Tuesday, May 15, 2018 4:34:31 AM 
Subject: Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent 

On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote: 
> TL;DR = Don't use HTML email [snip] 

That's enough right there. HTML markup in email is used exclusively 
by three kinds of people: (1) ignorant newbies who don't know any 
better (2) ineducable morons who refuse to learn (3) spammers. 
There are no exceptions. 

---rsk 

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Mike Hammett]

Encrypted e-mail is so incredibly niche, this won't affect almost everyone. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "George William Herbert" <george.herb...@gmail.com> 
To: nanog@nanog.org 
Sent: Monday, May 14, 2018 2:43:25 AM 
Subject: Email security: PGP/GPG & S/MIME vulnerability drop imminent 


This is likely bad enough operators need to pay attention. 

@seecurity tweeted: 

"We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption 
on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, 
including encrypted emails sent in the past. #efail 1/4" 

Thread starts here: 
https://twitter.com/seecurity/status/995906576170053633?s=21 

I have no particular insight into what it is other than presuming from thread 
that decryption can be tricked to do bad things. 

They recommend temporary disabling downthread: 

"There are currently no reliable fixes for the vulnerability. If you use 
PGP/GPG or S/MIME for very sensitive communication, you should disable it in 
your email client for now. Also read @EFF’s blog post on this issue: 
eff.org/deeplinks/2018… #efail 2/4" 

-george 

Sent from my iPhone 

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Bjørn Mork]

Brian Kantor  writes:

> On Tue, May 15, 2018 at 05:34:31AM -0400, Rich Kulawiec wrote:
>> On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote:
>> > TL;DR = Don't use HTML email [snip]
>> 
>> That's enough right there.  HTML markup in email is used exclusively
>> by three kinds of people: (1) ignorant newbies who don't know any
>> better (2) ineducable morons who refuse to learn (3) spammers.
>> There are no exceptions.
>> 
>> ---rsk
>
> Ah, if it only were those.  But the infestation has spread; nearly
> every corporate communication these days is polluted by HTML, with
> a very high percentage of that containing no content other than
> hyperlinks that say, in one form or another, "click on this link
> to read your message."

I don't see any contradiction here.

> Banks especially.

All three combined.


Bjørn

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Brian Kantor]

On Tue, May 15, 2018 at 05:34:31AM -0400, Rich Kulawiec wrote:
> On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote:
> > TL;DR = Don't use HTML email [snip]
> 
> That's enough right there.  HTML markup in email is used exclusively
> by three kinds of people: (1) ignorant newbies who don't know any
> better (2) ineducable morons who refuse to learn (3) spammers.
> There are no exceptions.
> 
> ---rsk

Ah, if it only were those.  But the infestation has spread; nearly
every corporate communication these days is polluted by HTML, with
a very high percentage of that containing no content other than
hyperlinks that say, in one form or another, "click on this link
to read your message."

Banks especially.

I imagine some fool told them this improves security, and they were
stupid enough to believe it.
- Brian

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Brandon Butterworth]

On Tue May 15, 2018 at 05:34:31AM -0400, Rich Kulawiec wrote:
> On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote:
> > TL;DR = Don't use HTML email [snip]
> 
> That's enough right there.  HTML markup in email is used exclusively
> by three kinds of people: (1) ignorant newbies who don't know any
> better (2) ineducable morons who refuse to learn (3) spammers.

and phishers/exploiters. HTML markup in email is used exclusively
by four kinds of people 

brandon

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Rich Kulawiec]

On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote:
> TL;DR = Don't use HTML email [snip]

That's enough right there.  HTML markup in email is used exclusively
by three kinds of people: (1) ignorant newbies who don't know any
better (2) ineducable morons who refuse to learn (3) spammers.
There are no exceptions.

---rsk

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Suresh Ramasubramanian]

Seems to be a set of MUA bugs that are being overblown and hyped up.

TL;DR = Don't use HTML email with some mail clients when sending pgp encrypted 
mail.

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html

--srs

On 14/05/18, 1:15 PM, "NANOG on behalf of George William Herbert" 
 wrote:


This is likely bad enough operators need to pay attention.

@seecurity tweeted:

"We'll publish critical vulnerabilities in PGP/GPG and S/MIME email 
encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of 
encrypted emails, including encrypted emails sent in the past. #efail 1/4"

Thread starts here:
https://twitter.com/seecurity/status/995906576170053633?s=21

I have no particular insight into what it is other than presuming from 
thread that decryption can be tricked to do bad things.

They recommend temporary disabling downthread:

"There are currently no reliable fixes for the vulnerability. If you use 
PGP/GPG or S/MIME for very sensitive communication, you should disable it in 
your email client for now. Also read @EFF’s blog post on this issue: 
eff.org/deeplinks/2018… #efail 2/4"

-george 

Sent from my iPhone

Email security: PGP/GPG & S/MIME vulnerability drop imminent

[George William Herbert]

This is likely bad enough operators need to pay attention.

@seecurity tweeted:

"We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption 
on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, 
including encrypted emails sent in the past. #efail 1/4"

Thread starts here:
https://twitter.com/seecurity/status/995906576170053633?s=21

I have no particular insight into what it is other than presuming from thread 
that decryption can be tricked to do bad things.

They recommend temporary disabling downthread:

"There are currently no reliable fixes for the vulnerability. If you use 
PGP/GPG or S/MIME for very sensitive communication, you should disable it in 
your email client for now. Also read @EFF’s blog post on this issue: 
eff.org/deeplinks/2018… #efail 2/4"

-george 

Sent from my iPhone