PGP and S/MIME vulnerabilties

Hi,

I just read these bad news:
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

I for one deactivated Enigmail as well as GpgOL…

CC

Don’t panic! https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060317.html :slight_smile:

As far as we know this is not very serious for Gpg4win and Mail clients using GnuPG as crypto backend. There is quite a bit annoyance about the EFF for claiming to uninstall GpgOL without asking us first or informing us of any issues.

If you look at:

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/thread.html#60315

There is some more discussion.

We have since gotten the paper and it only sees serious issues for Outlook 2007 and 2003 which are already marked as unmaintained and should not be used.

We are still investigating and working on a statement for Gpg4win and hope to release it tomorrow when the paper is finally released. Engimail since 2.0 also appears not be seriously affected even if the paper claims differently. At least if you didn’t go through lengths to configure GnuPG in an insecure manner ( ignore-mdc-error )

Best Regards,
Andre

Thanks for your quick and comprehensive answer. Just stepped through the links and noticed that a press release has been added to the forum.
Best regards
CC

Still working on a statement for Gpg4win. We are trying to get the facts right even if that means that we are a bit late.

Further investigation shows that we need to do something to improve the situation for S/MIME. For OpenPGP we look very good but for S/MIME there could be manipulations both of files and mails.

General recommendation if you use S/MIME (even the native version) do not download images in mails in Outlook either automatically or manually. This is generally good advice even without crypto.

For S/MIME files you should be even more wary of unsigned files as the paper shows additional ways to manipulate S/MIME encrypted content. Always sign + encrypt to have something secured is also what we promote. We are likely to enforce that a bit more for S/MIME files.