| Rich Kulawiec on 14 May 2018 15:39:59 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Heads-up, PGP/GPG users: critical security flaw, disable it in email clients NOW |
On Mon, May 14, 2018 at 10:25:33AM -0400, Rich Kulawiec wrote: > I haven't had time to do more than skim both articles, but will read the > full paper later today. So I read it, albeit quickly. The impression I get, and I urge you to take this with a huge grain of salt, is that most of this issue traces back to problems in email clients which don't properly handle errors returned to them by PGP/GPG and thus do really bad things with HTML markup. It thus appears to me that this is less a PGP/GPG problem and more a sloppy mail client problem that can be exploited via PGP/GPG. A more careful read will have to wait. But we've already known for years and years that HTML markup in email is an atrociously bad idea. It's a worst practice. Which is why I've said for an equal number of years that HTML markup in email is used by three groups of people: (1) ignorant newbies who don't know any better (2) ineducable morons who refuse to learn (3) spammers. There are no exceptions. If you're an IT professional, and you have your hands on the levers and knobs of systems and networks, then you should be using an email client which (a) doesn't parse HTML and (b) doesn't have a GUI. I strongly recommend mutt (which, incidentally, comes up clean in the table included in the paper) which is certainly not perfect, but is very hard to exploit against a user who's paying attention. It's also ridiculously compact and fast and does a lot of things well that much prettier, fancier clients can't do at all. ---rsk ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug