Re: [PLUG] Heads-up, PGP/GPG users: critical security flaw, disable it i

Rich Kulawiec on 17 May 2018 05:59:14 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Heads-up, PGP/GPG users: critical security flaw, disable it in email clients NOW

From: Rich Kulawiec <rsk@gsp.org>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] Heads-up, PGP/GPG users: critical security flaw, disable it in email clients NOW
Date: Thu, 17 May 2018 08:59:07 -0400
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mutt/1.5.23 (2014-03-12)

On Tue, May 15, 2018 at 03:13:38PM -0400, Greg Helledy wrote:
> Unrelated to PGP, what bothers me is webmail that doesn't let you fully
> disable HTML.  I can't stop companies from sending me emails full of
> HTML-downloaded content, but I should be able to stop it downloading.

Even that's sometimes insufficient.  To explain: depending on the
combination of your browser, its settings, its extensions, their settings,
and the webmail client, the presence of those links may trigger accesses
to the URLs in messages.  (For example: consider an extension that attempts
to pre-screen links for malicious content.  Or one that's aware that
URL redirection services are malicious and attempts to resolve the true
URL.)  There are similar problems that arise WRT DNS lookups, as some
senders have devised methods that use DNS queries (which are sometimes sent
even if no HTTP request for a URL is imminent) to provide roughly the
same signalling as URLs.  (Think "accelerators" in certain browsers.)

It's a hairball.  And even if you take the time to unravel it and completely
understand what it's doing (and what it's not) that analysis can be rendered
moot by the next release of your browser (or a browser extension), or by
changes in the webmail code.  Many of these can happen silently or nearly
so and thus undercut defenses in other parts of the stack.

This is all before we even touch on bugs and vulnerabilities, and that's
*another* hairball.  And THAT'S before we get into scripting.  And...

The moral is: never, EVER, read your email with a web browser.

---rsk

p.s. I should admit that Once Upon A Time, I thought webmail was a pretty
neat idea.  And I suppose, as an abstract concept, it still is.  But the
reality is completely different.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Heads-up, PGP/GPG users: critical security flaw, disable it in email clients NOW
  - From: jeff <jeffv@op.net>
- Re: [PLUG] Heads-up, PGP/GPG users: critical security flaw, disable it in email clients NOW
  - From: Rich Freeman <r-plug@thefreemanclan.net>

References:
- Re: [PLUG] Heads-up, PGP/GPG users: critical security flaw, disable it in email clients NOW
  - From: Greg Helledy <gregsonh@gra-inc.com>

Prev by Date: Re: [PLUG] Fwd: VMware Releases Security Update
Next by Date: [PLUG] Command injection vuln-DHCP, Red Hat - if applicable
Previous by thread: Re: [PLUG] Heads-up, PGP/GPG users: critical security flaw, disable it in email clients NOW
Next by thread: Re: [PLUG] Heads-up, PGP/GPG users: critical security flaw, disable it in email clients NOW
Index(es):
- Date
- Thread