Re: Breaking MIME concatenation

> On 16 May 2018, at 05:21, Patrick Brunschwig wrote: > > Content-Type: mutlipart/mixed; boundary="WRAPPER" > Content-Description: Efail protection wrapper > > --WRAPPER > Content-Type: text/html > > > > > > --WRAPPER > (result of PGP/MIME decryption) > --WRAPPER--

Efail

Hi. I've been looking at a vulnerability in mail clients using pgp, described at efail.de. It is a technique where an attacker would inject a HTML IMG tag in an email, enveloping the encrypted text. This would send the cleartext message to the server inticated in the IMG tag. To me, it seems

Vulnerable clients (was: US-CERT now issuing a warning for OpenPGP-SMIME-Mail-Client-Vulnerabilities)

On Tue, 15 May 2018 03:31, je...@seibercom.net said: > NCCIC encourages users and administrators to review CERT/CC’s Vulnerability > Note VU #122919. Doesn't CERT read the paper before produciong a report? The table of vulnerable MUAs is easy enough to read. To better see what we are

Re: Vulnerable clients (was: US-CERT now issuing a warning for OpenPGP-SMIME-Mail-Client-Vulnerabilities)

El día Tuesday, May 15, 2018 a las 10:44:16AM +0200, Werner Koch escribió: > On Tue, 15 May 2018 03:31, je...@seibercom.net said: > > NCCIC encourages users and administrators to review CERT/CC’s Vulnerability > > Note VU #122919. > > Doesn't CERT read the paper before produciong a report? The

Re: AW: AW: Efail or OpenPGP is safer than S/MIME

> I’m going to preemptively quote RJH here before he gets around to it. Use the > defaults! ;-) :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Efail

Oh man.. check a few of the previous list emails on this subject. They're fairly detailed. Farhan On Wed, May 16, 2018 at 3:04 AM, eira wahlin wrote: > Hi. > I've been looking at a vulnerability in mail clients using pgp, described > at efail.de. It is a technique where an

Re: Breaking MIME concatenation

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Am Dienstag, 15. Mai 2018, 22:19:17 schreiben Sie: > On 05/15/2018 04:44 AM, Patrick Brunschwig wrote: > >> I think the correct solution must be to treat each MIME part >> independently, i.e. it needs to be parsed independently by the HTML

[GPGME] Repeated decrypt fails

Hi everyone, I'm fairly new to GnuPG and GPGME in general and I'm currently trying to implement a process in which a file is uploaded from a website in which case my program uses GPGME to decrypt the file returning true or false. The first time I upload the file (a .tar.gz) and run

AW: AW: AW: Efail or OpenPGP is safer than S/MIME

> Von: Andrew Gallagher [mailto:andr...@andrewg.com] > > > On 16 May 2018, at 13:44, Fiedler Roman > wrote: > > > > I am not sure, if gpg could support > > implementation/testing/life-cycle-efforts > to establish all those parameters and different process models for most

Re: AW: AW: Efail or OpenPGP is safer than S/MIME

> On 16 May 2018, at 13:44, Fiedler Roman wrote: > > I am not sure, if gpg could support implementation/testing/life-cycle-efforts > to establish all those parameters and different process models for most of > the decryption processes gpg users envision to use gpg

Re: Vulnerable clients

On Wed, 16 May 2018 10:48, o...@mat.ucm.es said: >> On Tue, 15 May 2018 03:31, je...@seibercom.net said: > >> My conclusion is that S/MIME is vulnerable in most clients with the >> exception of The Bat!, Kmail, Claws, Mutt and Horde IMP. I take the >> requirement for a user

Re: Breaking MIME concatenation

On Tue, 15 May 2018 22:19, miri...@riseup.net said: > So why use HTML with gnupg? Even some of the journalist kicking that EFFective hype are using encrypted mails with HTML content. 's/ pgpaY0DPHbkw1.pgp Description: PGP signature ___ Gnupg-users

Re: GPGME progress callback no current or total

On Tue, 15 May 2018 20:45, tookm...@gmail.com said: > PROGRESS UPDATE: what = primegen, type = 43, current = 0, total = 0 > > > Aren't current and total supposed to indicate progress? Why might they > be zero? Depends on the type of progress. For prime generation we can't do any estimation. f

Re: AW: Efail or OpenPGP is safer than S/MIME

On Tue, 15 May 2018 11:44, roman.fied...@ait.ac.at said: > The status line format should be designed to support those variants to > allow a "logical consistency check" of the communication with GnuPG There is a DECRYPTION_FAILED and that is all what it takes. If the integrity check fails

Re: Vulnerable clients

Sorry for this possible double posting. I am usually using gmane, but I don't see my mail appearing so I resend it to the list, to which I subscribed now. > On Tue, 15 May 2018 03:31, je...@seibercom.net said: > My conclusion is that S/MIME is vulnerable in most clients with the >

AW: AW: Efail or OpenPGP is safer than S/MIME

> Von: Werner Koch [mailto:w...@gnupg.org] > > On Tue, 15 May 2018 11:44, roman.fied...@ait.ac.at said: > > > The status line format should be designed to support those variants to > > allow a "logical consistency check" of the communication with GnuPG > > There is a > > DECRYPTION_FAILED > > and

Re: Don't Panic.

On Tue, 15 May 2018 17:06, mw...@iupui.edu said: > Heh. "We've discovered that locks can be picked, so you should remove > all the locks from your doors right now." "There are lot of benefits for members of the Mechanical Frontdoor Foundation. Rely on us for your social engineering tasks.

Re: Efail or OpenPGP is safer than S/MIME

On Tue, 15 May 2018 11:56, andr...@andrewg.com said: > We should also be very careful to note that none of this discussion > thread applies to the MIME concatenation vulnerability, which is a > problem in Thunderbird and other mail clients, and which cannot be While we are at that point. Can we

Re: AW: AW: AW: Efail or OpenPGP is safer than S/MIME

On Wed, 16 May 2018 16:24, roman.fied...@ait.ac.at said: > In my opinion it is hard to find such a "one size fits all" > solution. Like Werner's example: disabling decryption streaming The goal of the MDC is to assure that the message has been received exactly as the sender set it. Thus there

Re: Vulnerable clients

On Wed, 16 May 2018 10:02, g...@unixarea.de said: > Most (if not even all) of the MUA which are noted for Linux do run on > nearly any other UNIX flavor, FreeBSD, OpenBSD, ... and mutt in addition I would have written Unix instead of mentioning one specific flavor of Unix kernel software ;-)

Re: Efail or OpenPGP is safer than S/MIME

On 05/16/2018 05:48 AM, Werner Koch wrote: > On Tue, 15 May 2018 11:56, andr...@andrewg.com said: > >> We should also be very careful to note that none of this discussion >> thread applies to the MIME concatenation vulnerability, which is a >> problem in Thunderbird and other mail clients, and

Re: Breaking MIME concatenation

On 05/16/2018 02:46 AM, Martin wrote: > Hi > > Am Dienstag, 15. Mai 2018, 22:19:17 schreiben Sie: > >> On 05/15/2018 04:44 AM, Patrick Brunschwig wrote: > >> > >>> I think the correct solution must be to treat each MIME part >>> independently, i.e. it needs to be parsed independently by the

Re: Breaking MIME concatenation

> I think a fundamental discussion is necessary with the question: Who > should / will use GnuPG in the future? While y'all are having this discussion, remember that GnuPG's 95% use case is verifying Linux packages, and that number isn't expected to change a whole lot. Email users are important,

Re: Breaking MIME concatenation

> Am 16.05.2018 um 06:21 schrieb Patrick Brunschwig : > > Content-Type: mutlipart/mixed; boundary="WRAPPER" > Content-Description: Efail protection wrapper > > --WRAPPER > Content-Type: text/html > > > > > > --WRAPPER > (result of PGP/MIME decryption) > —WRAPPER—