Re: [PLUG] Heads-up, PGP/GPG users: critical security flaw, disable it in email clients NOW

[Rich Freeman <r-plug@thefreemanclan.net>]

On Thu, May 17, 2018 at 9:54 PM Thomas Delrue <delrue.thomas@gmail.com>
wrote:

> On 05/17/2018 09:42 AM, Michael Leone wrote:
> > On Thu, May 17, 2018 at 9:22 AM, Rich Freeman
> <r-plug@thefreemanclan.net>
wrote:
> >> On Thu, May 17, 2018 at 8:59 AM Rich Kulawiec <rsk@gsp.org> wrote:
> >>
> >>> The moral is: never, EVER, read your email with a web browser.
> >>
> >> This is impractical
> >
> > That's putting it mildly, I'd say ... as I answer this from my Chrome
> > web browser ...

> As a retort to your "chrome web browser": ... as I answer this from my
> Thunderbird e-mail client configured to do text-only and with GPG locked
> and loaded.


There are MUAs that can be run from within a browser that can be configured
to disable html mail and which support GPG.

I'm not convinced that Thunderbird is any more secure than these.  If there
is a bug in Thunderbird then on a typical Linux desktop distro an exploit
would have access to all your files, the memory of any applications you
have running under your uid (including your gpg key), and the ability to
log keystrokes from any other client window on your X11 session (regardless
of whether those clients are running on the same host).  On the other hand
if there is a bug in your web-based email client then without an additional
bug in the browser it isn't going to be able to do much more than read your
email, and maybe your gpg key if it has a copy of it.

Browsers are basically designed to sandbox hostile code.  That certainly
isn't the case for X11 or ELF in general, and while technologies exist to
harden the latter they aren't widely used in a desktop setting.  Are you
running that Thunderbird email client with reasonably strict SELinux rules
or in a minimal container/VM, and sending the X11 connection through an ssh
proxy that filters out stuff like keyloggers?

In the case of cloud-hosted web-based email you also have the advantage of
professional management.  I suspect that Google/Microsoft/Yahoo/etc are
going to be patching bugs in their popular email services more diligently
than Aunt Tilly keeps her Thunderbird install up to date (likely on
Windows).

I'd also take issue with the assertion that it is impossible to securely
handle markup in an email.  Virtually all email clients strip javascript
from html mail (ironically Thunderbird is one of the few that actually
supports executing javascript in email).  Certainly gmail does so.  I don't
see why html in an email is any more of a problem than implementing a word
processor.  There is a reason that most businesses seem to be moving more
and more towards running all their applications from a browser (email tends
to be one of the holdouts due to the ubiquity of Outlook, though the
web-based version of it isn't completely terrible).

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug