Rich Kulawiec on 14 May 2018 15:39:59 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Heads-up, PGP/GPG users: critical security flaw, disable it in email clients NOW


On Mon, May 14, 2018 at 10:25:33AM -0400, Rich Kulawiec wrote:
> I haven't had time to do more than skim both articles, but will read the
> full paper later today.

So I read it, albeit quickly.  The impression I get, and I urge you to take
this with a huge grain of salt, is that most of this issue traces back
to problems in email clients which don't properly handle errors returned
to them by PGP/GPG and thus do really bad things with HTML markup.  It thus
appears to me that this is less a PGP/GPG problem and more a sloppy mail
client problem that can be exploited via PGP/GPG.  A more careful read will
have to wait.

But we've already known for years and years that HTML markup in email is
an atrociously bad idea.  It's a worst practice.  Which is why I've
said for an equal number of years that HTML markup in email is used by
three groups of people: (1) ignorant newbies who don't know any better
(2) ineducable morons who refuse to learn (3) spammers.  There are no
exceptions.

If you're an IT professional, and you have your hands on the levers and
knobs of systems and networks, then you should be using an email client
which (a) doesn't parse HTML and (b) doesn't have a GUI.  I strongly
recommend mutt (which, incidentally, comes up clean in the table included
in the paper) which is certainly not perfect, but is very hard to exploit
against a user who's paying attention.  It's also ridiculously compact
and fast and does a lot of things well that much prettier, fancier clients
can't do at all.

---rsk
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug