To anybody who used my #Gmail, #Gnus and #GPG Guide: Something seems to have surfaced regarding PGP And GPG, so maybe switch to some other technology such as Signal for the moment.
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
https://github.com/kensanata/ggg#gmail-gnus-gpg-guide-gggg
@cstrotm apparently so!
@kensanata
Can we just federate Wire and Signal then do away with email altogether?
@kensanata @eliasg I absolutely β€ this line "Not only does my email account get sent bills I donβt want to read, the bills I need fetch the bills I need to pay from the garbage dump of humanity, the Junk and Spam folder."
It'd have been so useful if Signal started allowing users to add usernames too as an identity.
@officialcjunior
Yes. I don't use it for precisely this reason. I prefer Wire.
@kensanata
@officialcjunior Or how about usernames *instead* of phone numbers.
Yeah, then we'd have total privacy.
@officialcjunior @kensanata That's exactly what Wire is doing.
@skiant Does Wire do end to end encryption these days? I faintly remember it not doing that some years ago.
@kensanata Yeah, Same protocol as Signal. Everything is encrypted (files, audio, video). And they are 100% open-source + working on federation so you could self-host.
@skiant That does sound very exciting!
@kensanata Yeah. Not to mention I feel the UX is way above what you have in Signal. They include tons of features that most tech-savy users would deem extraneous or ridiculous, but matter a lot for wider adoption (sending gifs, hand-drawing, and so on).
So yeah, except for the occasional glitches (sometimes notifications are not working on some people devices), they're really my go-to communication channel.
@kensanata As far as I understood, the attack works as follows:
1) Alice sends Bob an encrypted message, I intercept it but cannot read it.
2) I craft a new email to Bob and include the crypted text as an MIME attachment.
3) Bob decrypts the complete email, through an error in his MIME parser, the decrypted text from Alice becomes part of a larger HTML text.
4) By displaying the HTML mail, the secret message may be exfiltrated as part of an URL.
@Masek Sounds like a short and sweet explanation. I read the statement on the mailing list but didn't understand how that would work.
@kensanata Summary: MIME-Parsers are faulty, we knew that.
This attack is a neat trick to include a message I cannot decipher and send it someone else to decipher it and exfiltrate it back through a image URL or similar.
MUAs that call external URLs are a security risk. This was already known. This is just creatively using the problem to decipher a secret message.
No worries, you can just continue to use GPG. You can also continue to use Enigmail. Because what they provide there is not such a big thing:
https://g0v.social/@sheogorath/100026834195492957
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060320.html
@kensanata The problem here seems to be less PGP/GPG, but the use of complicated stuff like HTML and JavaScript together with encrypted communication. That one is hard to get right.