pgp   4858

« earlier    

What’s the matter with PGP? – A Few Thoughts on Cryptographic Engineering
Last Thursday, Yahoo announced their plans to support end-to-end encryption using a fork of Google's end-to-end email extension. This is a Big Deal. With providers like Google and Yahoo onboard, email encryption is bound to get a big kick in the ass. This is something email badly needs. So great work by Google and Yahoo!…
email  pgp  security  crypto  privacy  Bookmarks_Toolbar  critique  Cryptography  encryption  essays 
yesterday by websitejk
benjojo/bgp-battleships: Play battleships using BGP
GitHub is where people build software. More than 27 million people use GitHub to discover, fork, and contribute to over 80 million projects.
golang  pgp  games 
yesterday by geetarista
It has been a bad week for encrypted messaging and it’s only Wednesday | Ars Technica
Monday brought word of decade-old flaws that might reveal the contents of PGP- and S/MIME-encrypted emails. Some of the worst flaws resided in email clients such as Thunderbird and Apple Mail, and they offer a golden opportunity to attackers who have already intercepted previously sent messages. By embedding the intercepted ciphertext in invisible parts of a new message sent to a sender or receiver of the original email, attackers can force the client to leak the corresponding plaintext. Thunderbird and Mail have yet to be patched, although the Thunderbird flaw has been mitigated by an update published Wednesday in the Enigmail GPG plugin.
cybersecurity  encryption  pgp  signal  email  javascript  crypto 
4 days ago by bwiese
The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.
There are two different flavors of EFAIL attacks. First, the direct exfiltration attack abuses vulnerabilities in Apple Mail, iOS Mail and Mozilla Thunderbird to directly exfiltrate the plaintext of encrypted emails. These vulnerabilities can be fixed in the respective email clients. The attack works like this. The attacker creates a new multipart email with three body parts as shown below. The first is an HTML body part essentially containing an HTML image tag. Note that the src attribute of that image tag is opened with quotes but not closed. The second body part contains the PGP or S/MIME ciphertext. The third is an HTML body part again that closes the src attribute of the first body part.
privacy  security  emacs  pgp  gpg 
7 days ago by some_hren
Attacks against GPG signed APT repositories - Packagecloud Blog

It is a common misconception that simply signing your packages and repository metadata with GPG is enough to create a secure APT repository. This is false. Many of the attacks outlined in the paper and this blog post are effective against GPG-signed APT repositories. GPG signing Debian packages themselves does nothing, as explained below. The easiest way to prevent the attacks covered below is to always serve your APT repository over TLS; no exceptions.

This is excellent research. My faith in GPG sigs on packages is well shaken.
apt  security  debian  packaging  gpg  pgp  packages  dpkg  apt-get  ops 
8 days ago by jm

« earlier    

related tags

2pnyc  agent  apple  apt-get  apt  arstechnica  article  attack  authentication  bookmarks_toolbar  boot  briankrebs  bug  bugs  card  change  clean-room  cli  community  criticism  criticisms  critique  crypto  cryptography  cybersecurity  daniel_kahn_gilmor  debian  disclosure  distro  doe  dpkg  dylanhoulihan  e-mail  efail  emacs  email  encrypted  encrypted_messaging  encryption  enigmail  essays  exploit  fail  flaw  games  gender  genderidentity  github  gnu  gnupg  golang  gpg  gpg2  grammar  hacker  hacking  hibernate  hibernation  howto  html_email  infosec  javascript  johnmeister  js  judysennesh  key  keychain  keyring  keys  keyverification  language  leak  library  linux  lvm2  mail  matthewgreen  mikegustavison  mobile  mte  newbie  nyc  offline  openpgp  opensource  openssh  ops  osx  otf  packages  packaging  panera  password  pflagnyc  pki  privacy  pubkey  pypi  python  read  reloadagent  resume  rsa  rust  s/mime  schools  sec  security  secushare  signal  signing  smime  ssh  swap  technology  thunderbird  tls  transgender  troyhunt  tutorial  twitter  ubuntu  update  use  ux  verschlüsseln  verschlüsselung  vulnerability  yubikey 

Copy this bookmark: