Discover and read the best of Twitter Threads about #EFAIL
Most recents (8)
Today's Twitter threads (a Twitter thread).
Inside: Ireland's privacy regulator is a gamekeeper-turned-poacher; and more!
Archived at: pluralistic.net/2023/05/15/fin…
#Pluralistic
1/
Inside: Ireland's privacy regulator is a gamekeeper-turned-poacher; and more!
Archived at: pluralistic.net/2023/05/15/fin…
#Pluralistic
1/
Saturday (5/20), I'm at @GburgBookFest with *Red Team Blues*:
gaithersburgbookfestival.org/featured_autho…
5/22, I'm at @publicknowledge's Emerging Tech in #DC:
eventbrite.com/e/emerging-tec…
5/23, it's #Toronto for #WEPFest, w/@hockeyesque @RonDeibert & @DrNancyOlivieri:
westendphoenix.com/shop/wepfest-s…
2/
gaithersburgbookfestival.org/featured_autho…
5/22, I'm at @publicknowledge's Emerging Tech in #DC:
eventbrite.com/e/emerging-tec…
5/23, it's #Toronto for #WEPFest, w/@hockeyesque @RonDeibert & @DrNancyOlivieri:
westendphoenix.com/shop/wepfest-s…
2/
Ireland's privacy regulator is a gamekeeper-turned-poacher: Dublin is a made town.
3/
3/
New paper on how to fix #efail style attacks against e2e encrypted email, including OpenPGP and S/MIME. Joint work with @JoergSchwenk @lambdafu @dues__ @jensvoid @jurajsomorovsky @seecurity. To be presented at @acm_ccs 2020. Thread:
One central problem of email e2ee is that neither MIME structure nor header fields are protected from modification. Attackers can send modified ciphertexts, can send ciphertexts with crafted MIME structures or can add or remove headers such as FROM, RCPT TO or SUBJECT at will.
This allows attacks such as those described in efail.de or in arxiv.org/abs/1904.07550. So far, the mail clients mostly implemented ad hoc countermeasures that don't address the root causes the attacks.
Some reflections on OpenPGP, from the perspective of approaching Enigmail's end-of-life. Respect intended towards all, malice towards none, but a couple of sacred cows might get skewered along the way.
1/
1/
Everyone who says OpenPGP is embarrassingly ancient is right. Everyone who says it's bogus is wrong. The protocol itself is difficult to implement correctly and just feels clumsy and awkward by current standards. But for all that, it's still solid as a rock. 2/
In 15 years of supporting Enigmail users essentially every single day, *not once* did I see a security compromise traceable to a flaw in the protocol. Anyone proposing that OpenPGP should be replaced needs to answer the questions, "with what, and what's its track record?" 3/
New Paper: “Practical Decryption exFiltration: Breaking PDF Encryption“ describing new attacks that uncover the plaintext of encrypted PDFs. To be presented at @acm_ccs and joint work with @jensvoid @Murgi @v_mladenov @CheariX @JoergSchwenk. #PDFex 1/n
@acm_ccs @jensvoid @Murgi @v_mladenov @CheariX @JoergSchwenk Do you remember the efail.de attacks against S/MIME and OpenPGP encrypted emails? It’s basically that but against encrypted PDFs. Paper: pdf-insecurity.org. #PDFex 2/n
@acm_ccs @jensvoid @Murgi @v_mladenov @CheariX @JoergSchwenk The attacker modifies an encrypted PDF and sends it to the receiver. The receiver opens and decrypts the modified PDF and the viewer immediately sends the plaintext of the PDF to the attacker. #PDFex 3/n
Peter @welchering spricht über „Sicherheitsdateien des Bundes gefährden den Rechtsstaat: Wie unbescholtene Bürger in Straftäterdateien landen und was wir dagegen tun sollten“
I got up at 6am yesterday. Shortly before going to bed last night, #Efail broke. Since then I've been deluged in messages from very scared people who have wanted and needed to hear things are not as bad as they're being made out to be. 1/
I am literally hallucinating from sleep deprivation. I'm still here. Still answering DMs, emails, Google Hangout messages, Signal messages, more. I'm talking to journalists who are trying to get another take.
I am *exhausted*. 2/
I am *exhausted*. 2/
This is why responsible disclosure is so necessary. Irresponsible disclosure terrifies people. It might be good for clicks and pageviews, but we all pay the price for it in lost sleep. 3/
A new security vulnerability has been discovered in PGP (and GPG) that affects a range of email clients and plugins. To protect yourself, EFF highly recommends that for now you uninstall or disable your PGP email plug-in. #efail 1/4 eff.org/deeplinks/2018…
Here are instructions for disabling the Enigmail or GPGTools plug-ins in some common email clients:
Thunderbird: eff.org/deeplinks/2018…
Apple Mail: eff.org/deeplinks/2018…
Outlook: eff.org/deeplinks/2018…
Thunderbird: eff.org/deeplinks/2018…
Apple Mail: eff.org/deeplinks/2018…
Outlook: eff.org/deeplinks/2018…
More details about the vulnerability will be made public on 2018-05-15 07:00 UTC. We will release more explanations and analysis then.
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4
There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: eff.org/deeplinks/2018… #efail 2/4
Here are @EFF’s guides for disabling PGP/GPG in Thunderbird eff.org/deeplinks/2018…, Apple Mail eff.org/deeplinks/2018…, and Outlook eff.org/deeplinks/2018…. #efail 3/4
