EFAIL


24 bookmarks. First posted by rukku 9 days ago.


The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.
...
There are two different flavors of EFAIL attacks. First, the direct exfiltration attack abuses vulnerabilities in Apple Mail, iOS Mail and Mozilla Thunderbird to directly exfiltrate the plaintext of encrypted emails. These vulnerabilities can be fixed in the respective email clients. The attack works like this. The attacker creates a new multipart email with three body parts as shown below. The first is an HTML body part essentially containing an HTML image tag. Note that the src attribute of that image tag is opened with quotes but not closed. The second body part contains the PGP or S/MIME ciphertext. The third is an HTML body part again that closes the src attribute of the first body part.
privacy  security  emacs  pgp  gpg 
8 days ago by some_hren
RT : Due to our embargo being broken, here are the full details of the attacks.
efail  from twitter
8 days ago by davidolrik
HomeMitigationsFAQPaperCoverage
EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails.
EFAIL  pgp  privacy  security  smime  encryption  vulnerability  gpg 
9 days ago by rdark
EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails.
security  privacy  email  encryption 
9 days ago by dusko
EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails.
PGP  GnuPG  OpenPGP  bug  attack  exploit  email  security  privacy 
9 days ago by aldolat
PGP Vulnerabilities and mitigations explained at , check it out!
email  security  privacy  servus 
9 days ago by aderieg
Oh, I guess it’s already published. Well then, here it is: they broke PGP email.
from twitter_favs
9 days ago by ciphpercoder
Favorite tweet:

New vulnerabilities in many PGP and S/MIME enabled email clients. Allows exfiltration of plaintext by mauling HTML emails. A few thoughts. https://t.co/LiGhHLhYFQ

— Matthew Green (@matthew_d_green) May 14, 2018
IFTTT  Twitter 
9 days ago by chetan
RT : Due to our embargo being broken, here are the full details of the attacks.
from twitter
9 days ago by dinomite
The first is an HTML body part essentially containing an HTML image tag. Note that the src attribute of that image tag is opened with quotes but not closed. The second body part contains the PGP or S/MIME ciphertext. The third is an HTML body part again that closes the src attribute of the first body part // AARGH html e-mail:-)
email  pgp  security  hacker  efail  html_email 
9 days ago by yorksranter
EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails.
Email is a plaintext communication medium whose communication paths are partly protected by TLS (TLS). For people in hostile environments (journalists, political activists, whistleblowers, ...) who depend on the confidentiality of digital communication, this may not be enough. Powerful attackers such as nation state agencies are known to eavesdrop on email communications of a large number of people. To address this, OpenPGP offers end-to-end encryption specifically for sensitive communication in view of these powerful attackers. S/MIME is an alternative standard for email end-to-end encryption that is typically used to secure corporate email communication.
email  s/mime  OpenPGP  security  leaks 
9 days ago by kOoLiNuS
Due to our embargo being broken, here are the full details of the attacks.
efail  from twitter_favs
9 days ago by rukku