D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] gpg security flaw

 

I've only used GPG/PGP for email by encrypting text and then pasting it into an email or attaching an encrypted file.

That seems to leave out the problems with HTML and mail client/browser behaviours.

I'm not convinced that giving someone an encrypted message to pass on for you to where you want it to only be read is entirely logical.
Sending a message by whatever means (will X make contact with machine Y where he may find something to his interest),
or having a point to point pull contact (I'm X at the appointed moment, have you anything for me?)
and passing the encrypted object then seems more straightforward.



On Sat, 19 May 2018 at 10:47 Simon Waters <simon@xxxxxxxxxxxxxx> wrote:
Eion MacDonald via list wrote:
>
> I normally only use Enigmail/Thunderbird for signing, as
> secure messages now down via protonmail.ch if possible.
> But even signing seems effected to attach.

Hanno notes that the recent Thunderbird release to fix the HTML image link
flaw is an incomplete fix.

Stop fetching non-local content in HTML emails by default (if you ever
did), stops this whole class of issues.

The cryptographic weaknesses and flaws with PGP remain, some of these you
can mitigate with good choice of software and settings, some are inherent
to PGP model (no forward security). Although even there you can rotate
keys frequently to achieve a similar effect of hiding identity and
minimising risk from later key compromise (nothing like stopping using a
secret key, and burning the platforms it was on, to avoid having it
compromised).

> However "Signal" is based on ownership of a 'smartphone' (Android etc).
> So us older users who only use 2G phone/SMS phones cannot use Signal on
> desktop as "Signal" system is tied to a smartphone contact list.

I wouldn't recommend Signal for desktop, as the Desktop clients that are
available are based on the Electron Framework which is a mess, on Windows
it has had multiple issues that escalate XSS to remote code execution (and
I doubt the other platforms are much better). Although you can probably
virtualise that risk away if it is the best choice for you.

It is not enough to have strong cryptography it also has to be implemented
well, and deployed intelligently.

The EFF has discontinued their secure messaging Score card with a "think
about what you need" message (probably wise).

Good OpSec trumps a million technical features and issues of your platform.


--
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq
--

A Midgley

Nowadays: Property and Photography

-- 
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq