Collaborate Disseminate
Really, I could not understand why the decryption process of CFB malleability gadget takes the next cipher block while PGP uses the previous block as shown in the equations in the attached image, I read Efail attack paper but I could not u… Continue reading why Efail CFB malleability gadget is different from CFB mode decryption?
I saw this question about which out of those two protocols is more secure. The question was from 2016, but Efail was discovered late 2017. I understand that some email programs were affected while others were not, plaintext was somehow sne… Continue reading Were PGP/MIME and PGP/Inline equally affected by EFAIL?
The published examples for exploiting the EFAIL email encryption vulnerability all appear to use HTML to create a backchannel for exfiltrating decrypted data.
However, the homepage of EFAIL, https://efail.de/ , claims:
S… Continue reading What are the EFAIL "backchannels in email clients not related to HTML"?
The proposed method
Brief and simplified description of the attack:
Any and every single encrypted block B of the encrypted message can be surrounded by Trojan psuedo-encrypted data to give a multiblock encrypted message AB… Continue reading Will this method allow EFAIL-safe sending of OpenPGP encrypted messages to otherwise EFAIL-unsafe readers?
Last week the PGPocalipse was all over the news… Except that, well, it wasn’t an apocalypse.
A team of researchers published a paper(PDF) where they describe how to decrypt a PGP encrypted email via a targeted attack. The research itself is pretty well documented and, from a security researcher perspective, it’s a good paper to read, especially the cryptography parts.
But we here at Hackaday were skeptical about media claims that Efail had broken PGP. Some media reports went as far as recommending everyone turn off PGP encryption on all email clients., but they weren’t able to back this recommendation …read more
Continue reading Explaining Efail and Why It Isn’t the End of Email Privacy
The way I understand EFAIL, the attack works because email clients can be coerced into concatenating the decrypted message into text supplied by the attacker to result in an URL.
But wouldn’t it be a counter-measure to use a… Continue reading Is this a simple protection against EFAIL?
Here’s the latest Naked Security podcast – enjoy! Continue reading How to find lost USB drives (even if you don’t want to) [PODCAST]
The EFAIL bug shows how to trick some mail clients into turning the email encryption tools S/MIME and OpenPGP against themselves. Continue reading The EFAIL vulnerability – why it’s OK to keep on using email
The flaws threaten to expose corporate communications in Outlook as well as the messages of at-risk users like political dissidents. Continue reading EFAIL Opens Up Encrypted Email to Prying Eyes
From the gaping maw of the infosec Twitterverse comes horrifying news. PGP is broken. How? We don’t know. When will there be any information on this vulnerability? Tomorrow. It’s the most important infosec story of the week, and it’s only Monday. Of course, this vulnerability already has a name. Everyone else is calling it eFail, but I’m calling it Fear, Uncertainty, and Doubt.
[Sebastian Schinzel] announced on Twitter today he will be announcing a critical vulnerability in PGP/GPG and S/MIME email encryption. This vulnerability may reveal the plaintext of encrypted emails. There are currently no fixes — but there’s no …read more
Continue reading PGP Vulnerability Pre-announced by Security Researcher