Skip to main content


 
To anybody who used my #Gmail, #Gnus and #GPG Guide: Something seems to have surfaced regarding PGP And GPG, so maybe switch to some other technology such as Signal for the moment.
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
https://github.com/kensanata/ggg#gmail-gnus-gpg-guide-gggg
@kensanata The problem here seems to be less PGP/GPG, but the use of complicated stuff like HTML and JavaScript together with encrypted communication. That one is hard to get right.

@cstrotm Do you h e a link to more information?

@kensanata
Can we just federate Wire and Signal then do away with email altogether?

@eliasg @kensanata

It'd have been so useful if Signal started allowing users to add usernames too as an identity.

@officialcjunior Or how about usernames *instead* of phone numbers.

@kensanata

Yeah, then we'd have total privacy.


@skiant Does Wire do end to end encryption these days? I faintly remember it not doing that some years ago.

@kensanata Yeah, Same protocol as Signal. Everything is encrypted (files, audio, video). And they are 100% open-source + working on federation so you could self-host.

@skiant That does sound very exciting!

@kensanata As far as I understood, the attack works as follows:

1) Alice sends Bob an encrypted message, I intercept it but cannot read it.

2) I craft a new email to Bob and include the crypted text as an MIME attachment.

3) Bob decrypts the complete email, through an error in his MIME parser, the decrypted text from Alice becomes part of a larger HTML text.

4) By displaying the HTML mail, the secret message may be exfiltrated as part of an URL.

@Masek Sounds like a short and sweet explanation. I read the statement on the mailing list but didn't understand how that would work.