Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
On 05/15/2018 04:34 AM, Rich Kulawiec wrote: > On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote: >> TL;DR = Don't use HTML email [snip] > > That's enough right there. HTML markup in email is used exclusively > by three kinds of people: (1) ignorant newbies who don't know any > better (2) ineducable morons who refuse to learn (3) spammers. > There are no exceptions. There is a need for rich-text these days. What is your proposal?
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
On Tue, May 15, 2018 at 10:42:31AM +0100, Brandon Butterworth wrote: > and phishers/exploiters. HTML markup in email is used exclusively > by four kinds of people I'll accept that as a friendly amendment. ;) It is -- to Brian Kantor's point elsewhere in the thread -- very unfortunate that many banks and financial institutions have spent much of the past couple of decades assiduously training their customers to be phish victims. Some of them, including a very well-known, very large company I'm communicating with at the moment, have compounded that blunder by handing over lists of the email addresses of all their customers to third parties, thus making it vastly easier for phishers to get their hands on them. (If the latter isn't clear, consider: suppose you were in the professional phishing business. "professional" as in doing it competently, not sending messages full of fractured syntax. Can you think of some places where you would like to have one of your employees positioned? How about some place that handles customer email data for *many* banks/financial institutions? One-stop shopping, as it were. No need to get people into 27 different operations when all you need to do is get one person into one. And, most likely, every one of those 27 has done you the favor of knocking themselves out to make their customers vulnerable to you. You're welcome.) ---rsk
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
On 5/15/2018 05:59, Brian Kantor wrote: > > I imagine some fool told them this improves security, and they were > stupid enough to believe it. > - Brian > It's a bit simpler than that. Too many people are dazzled by polished presentations. It's a sad fact of life that there are way too many people walking around that are distracted by shiny things.
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
On 15/05/2018 10:34, Rich Kulawiec wrote: > On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote: >> TL;DR = Don't use HTML email [snip] > > That's enough right there. HTML markup in email is used exclusively > by three kinds of people: (1) ignorant newbies who don't know any > better (2) ineducable morons who refuse to learn (3) spammers. > There are no exceptions. > > ---rsk If only life were so simple. I used to be a resolute user of plain text-only email. It was good enough for me. And then I realised how absurdly old fashioned this appeared to my clients. I'd send them emails explaining what I was going to do or about the new product or service, and it just looked boring and backward. I realised that I could no longer stick to plain text: It was actually harming my business. The world has moved on and rich content everywhere is now a must. It's no longer optional (although of course it depends on with whom one communicates). Yes, you can blame this on "ignorant newbies who don't know any better" but bear in mind that they are now the vast majority of users. They are the ones ultimately paying the bills and we have to adapt to their preferences, and not them to us. P.S. And I agree with Suresh in the previous message. It is true that there is a real problem here (more with S/MIME than PGP/GPG in practice) but it's being hyped up and overblown. The content does not fully support the headlines. -- Mark Rousell
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
Embargo has been broken. Here's the full details: https://efail.de (h/t Martjin Grooten) On Mon, 14 May 2018, 09:19 Suresh Ramasubramanian, wrote: > Seems to be a set of MUA bugs that are being overblown and hyped up. > > TL;DR = Don't use HTML email with some mail clients when sending pgp > encrypted mail. > > https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html > > --srs > > On 14/05/18, 1:15 PM, "NANOG on behalf of George William Herbert" < > nanog-boun...@nanog.org on behalf of george.herb...@gmail.com> wrote: > > > This is likely bad enough operators need to pay attention. > > @seecurity tweeted: > > "We'll publish critical vulnerabilities in PGP/GPG and S/MIME email > encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of > encrypted emails, including encrypted emails sent in the past. #efail 1/4" > > Thread starts here: > https://twitter.com/seecurity/status/995906576170053633?s=21 > > I have no particular insight into what it is other than presuming from > thread that decryption can be tricked to do bad things. > > They recommend temporary disabling downthread: > > "There are currently no reliable fixes for the vulnerability. If you > use PGP/GPG or S/MIME for very sensitive communication, you should disable > it in your email client for now. Also read @EFF’s blog post on this issue: > eff.org/deeplinks/2018… #efail 2/4" > > -george > > Sent from my iPhone > > >
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
On Tue, May 15, 2018 at 2:31 PM Alan Buxey wrote: > real ones > Ah, the classic "no true Scotsman." I haven't seen one of these in a while. I think the vast majority of HTML email use is due to "email formatting and markup" being somewhere near the end of the priority list. I know that's where it resides on mine. -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
real ones send such formulae as LaTeX attachments - where their recipients can have a simple plugin to view/display it inline (then save to edit/modify etc). HTML is horrible for formula...but at least I guess a little better than MS Word. alan
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
On May 15, 2018 at 05:34 r...@gsp.org (Rich Kulawiec) wrote: > On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote: > > TL;DR = Don't use HTML email [snip] > > That's enough right there. HTML markup in email is used exclusively > by three kinds of people: (1) ignorant newbies who don't know any > better (2) ineducable morons who refuse to learn (3) spammers. > There are no exceptions. Thirty years ago we thought graphical and even interactive email would soon be the cat's pajamas (or possibly the bee's knees.) Now we live in a world of seemingly ever-shrinking and pessimistic expectations -- ok perhaps that's overstating a little -- largely due to security considerations. Don't do that, you'll poke your eye out! Admittedly I never send HTML email and mostly find it annoying when I receive it, tho not always. We need to figure out how to have our cake and eat it too, "the k00l kidz don't use html email" won't accomplish much except maybe among the k00l kidz. -- -Barry Shein Software Tool & Die| b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
On 05/15/2018 07:22 PM, Jim Shankland wrote: > On 5/15/18 2:34 AM, Rich Kulawiec wrote: >> On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote: >>> TL;DR = Don't use HTML email [snip] >> That's enough right there. HTML markup in email is used exclusively >> by three kinds of people: (1) ignorant newbies who don't know any >> better (2) ineducable morons who refuse to learn (3) spammers. >> There are no exceptions. >> > non-technical She is a noob, thus the first :)
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
On 5/15/18 2:34 AM, Rich Kulawiec wrote: On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote: TL;DR = Don't use HTML email [snip] That's enough right there. HTML markup in email is used exclusively by three kinds of people: (1) ignorant newbies who don't know any better (2) ineducable morons who refuse to learn (3) spammers. There are no exceptions. Which category best describes my wonderful, intelligent (but decidedly non-technical), 84-year-old mother-in-law, who has been using email for a couple of decades (thus certainly not a "newbie"), and is definitely not a spammer. Do you have any advice for how I break it to her that she's an ineducable moron? You know, since there are no exceptions and all. Jim
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
I did a lot. Centralized proprietary messenger with a lot of noise around. Unlike for example clear p2p tox, federalized own jabber server, with TOR to hide a metadata. 15.05.18 19:36, John Levine пише: > In article <47acebac-7df1-0dbb-9584-27062a945...@netassist.ua> you write: >> Really? Use extremely centralized closed source "solution"? > > You might want to learn a little about Signal. > > R's, > John > >> >> LOL. >> >> 15.05.18 18:47, John Levine пише: >>> In article <240538927.8145.1526388210820.JavaMail.mhammett@ThunderFuck> you >>> write: Encrypted e-mail is so incredibly niche, this won't affect almost everyone. >>> >>> Bruce Schneier's blog entry on this arcane buglet ended by saying that >>> if you care about encryption use Signal or WhatsApp. >
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
In article <47acebac-7df1-0dbb-9584-27062a945...@netassist.ua> you write: >Really? Use extremely centralized closed source "solution"? You might want to learn a little about Signal. R's, John > >LOL. > >15.05.18 18:47, John Levine пише: >> In article <240538927.8145.1526388210820.JavaMail.mhammett@ThunderFuck> you >> write: >>> Encrypted e-mail is so incredibly niche, this won't affect almost everyone. >> >> Bruce Schneier's blog entry on this arcane buglet ended by saying that >> if you care about encryption use Signal or WhatsApp.
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
> On May 15, 2018, at 8:47 AM, John Levine wrote: > Bruce Schneier's blog entry ended by saying that > if you care about encryption use Signal or WhatsApp. I didn’t even. -Bill signature.asc Description: Message signed with OpenPGP
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
Really? Use extremely centralized closed source "solution"? LOL. 15.05.18 18:47, John Levine пише: > In article <240538927.8145.1526388210820.JavaMail.mhammett@ThunderFuck> you > write: >> Encrypted e-mail is so incredibly niche, this won't affect almost everyone. > > Bruce Schneier's blog entry on this arcane buglet ended by saying that > if you care about encryption use Signal or WhatsApp. > > R's, > John > > PS: I don't see any point in following up the discussion of HTML mail > because it appears to have fallen through a wormhole from 15 years ago. >
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
In article <240538927.8145.1526388210820.JavaMail.mhammett@ThunderFuck> you write: >Encrypted e-mail is so incredibly niche, this won't affect almost everyone. Bruce Schneier's blog entry on this arcane buglet ended by saying that if you care about encryption use Signal or WhatsApp. R's, John PS: I don't see any point in following up the discussion of HTML mail because it appears to have fallen through a wormhole from 15 years ago.
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
On 5/15/2018 5:34 AM, Rich Kulawiec wrote: That's enough right there. HTML markup in email is used exclusively by three kinds of people: (1) ignorant newbies who don't know any better (2) ineducable morons who refuse to learn (3) spammers. There are no exceptions. For years, I was very disciplined about using plain-text only for my outbound messages... but then I got frustrated with seeing email I had posted (to lists like this) - come back with horribly bad line wrapping - that made for very choppy readability. (This may have been better or worse depending on which software or device I was reading it on?) Then, when I switched to using my Thunderbird client's "plain and html" setting, that problem went away, and posts that I made didn't look like someone high on drugs typed them. -- Rob McEwen https://www.invaluement.com
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
On 05/15/2018 02:34 AM, Rich Kulawiec wrote: On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote: TL;DR = Don't use HTML email [snip] That's enough right there. HTML markup in email is used exclusively by three kinds of people: (1) ignorant newbies who don't know any better (2) ineducable morons who refuse to learn (3) spammers. There are no exceptions. Yes, there are exceptions. Particularly, chemists (and chemical engineers) and physicists who need to embed formulas into their e-mail. They use HTML because it's fast and easy, instead of using the preferred method of building a PDF and sending that. (I had a long, unfruitful argument with my brother the chem engineer at the time my mail server rejected all incoming HTML mail. I had to change.) Another exception is that most webmail is HTML and plaintext in MIME format. I get around the problem of triggering code in Thunderbird by only using the plain text view, dropping to "simplified HTML" view only when necessary, and only when I know the sender.
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
Do kids often go on your lawn as well? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Rich Kulawiec" To: nanog@nanog.org Sent: Tuesday, May 15, 2018 4:34:31 AM Subject: Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote: > TL;DR = Don't use HTML email [snip] That's enough right there. HTML markup in email is used exclusively by three kinds of people: (1) ignorant newbies who don't know any better (2) ineducable morons who refuse to learn (3) spammers. There are no exceptions. ---rsk
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
Encrypted e-mail is so incredibly niche, this won't affect almost everyone. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "George William Herbert" To: nanog@nanog.org Sent: Monday, May 14, 2018 2:43:25 AM Subject: Email security: PGP/GPG & S/MIME vulnerability drop imminent This is likely bad enough operators need to pay attention. @seecurity tweeted: "We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4" Thread starts here: https://twitter.com/seecurity/status/995906576170053633?s=21 I have no particular insight into what it is other than presuming from thread that decryption can be tricked to do bad things. They recommend temporary disabling downthread: "There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: eff.org/deeplinks/2018… #efail 2/4" -george Sent from my iPhone
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
Brian Kantor writes: > On Tue, May 15, 2018 at 05:34:31AM -0400, Rich Kulawiec wrote: >> On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote: >> > TL;DR = Don't use HTML email [snip] >> >> That's enough right there. HTML markup in email is used exclusively >> by three kinds of people: (1) ignorant newbies who don't know any >> better (2) ineducable morons who refuse to learn (3) spammers. >> There are no exceptions. >> >> ---rsk > > Ah, if it only were those. But the infestation has spread; nearly > every corporate communication these days is polluted by HTML, with > a very high percentage of that containing no content other than > hyperlinks that say, in one form or another, "click on this link > to read your message." I don't see any contradiction here. > Banks especially. All three combined. Bjørn
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
On Tue, May 15, 2018 at 05:34:31AM -0400, Rich Kulawiec wrote: > On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote: > > TL;DR = Don't use HTML email [snip] > > That's enough right there. HTML markup in email is used exclusively > by three kinds of people: (1) ignorant newbies who don't know any > better (2) ineducable morons who refuse to learn (3) spammers. > There are no exceptions. > > ---rsk Ah, if it only were those. But the infestation has spread; nearly every corporate communication these days is polluted by HTML, with a very high percentage of that containing no content other than hyperlinks that say, in one form or another, "click on this link to read your message." Banks especially. I imagine some fool told them this improves security, and they were stupid enough to believe it. - Brian
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
On Tue May 15, 2018 at 05:34:31AM -0400, Rich Kulawiec wrote: > On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote: > > TL;DR = Don't use HTML email [snip] > > That's enough right there. HTML markup in email is used exclusively > by three kinds of people: (1) ignorant newbies who don't know any > better (2) ineducable morons who refuse to learn (3) spammers. and phishers/exploiters. HTML markup in email is used exclusively by four kinds of people brandon
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
On Mon, May 14, 2018 at 01:47:50PM +0530, Suresh Ramasubramanian wrote: > TL;DR = Don't use HTML email [snip] That's enough right there. HTML markup in email is used exclusively by three kinds of people: (1) ignorant newbies who don't know any better (2) ineducable morons who refuse to learn (3) spammers. There are no exceptions. ---rsk
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
Seems to be a set of MUA bugs that are being overblown and hyped up. TL;DR = Don't use HTML email with some mail clients when sending pgp encrypted mail. https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html --srs On 14/05/18, 1:15 PM, "NANOG on behalf of George William Herbert" wrote: This is likely bad enough operators need to pay attention. @seecurity tweeted: "We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4" Thread starts here: https://twitter.com/seecurity/status/995906576170053633?s=21 I have no particular insight into what it is other than presuming from thread that decryption can be tricked to do bad things. They recommend temporary disabling downthread: "There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: eff.org/deeplinks/2018… #efail 2/4" -george Sent from my iPhone
Email security: PGP/GPG & S/MIME vulnerability drop imminent
This is likely bad enough operators need to pay attention. @seecurity tweeted: "We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4" Thread starts here: https://twitter.com/seecurity/status/995906576170053633?s=21 I have no particular insight into what it is other than presuming from thread that decryption can be tricked to do bad things. They recommend temporary disabling downthread: "There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: eff.org/deeplinks/2018… #efail 2/4" -george Sent from my iPhone