Re: [PLUG] Heads-up, PGP/GPG users: critical security flaw, disable it in email clients NOW

[Rich Kulawiec <rsk@gsp.org>]

On Thu, May 17, 2018 at 09:22:09AM -0400, Rich Freeman wrote:
> On Thu, May 17, 2018 at 8:59 AM Rich Kulawiec <rsk@gsp.org> wrote:
> 
> > The moral is: never, EVER, read your email with a web browser.
> 
> 
> This is impractical and dubious.  You might as well tell people to never
> read your email on a computer.  At least the browser does all the stuff
> you're concerned about in a sandbox.

It's not.  I've been doing it for decades.  Perhaps I should try explain it
a different way.

Every piece of software we use contributes to the aggregate attack
surface we present.  The biggest the surface, the more vulnerable we
are.  (Yes, I *know* this is an approximation because some code is
more vulnerable and some is less.  But there does not yet exist a
viable methodology for quantifying this more precisely, despite the
fact that we all really, really wish there was one.)

Therefore we should make the attack surface we present as small as
possible, to do what we can to make any attacks highly visible, and to
train ourselves to be vigilant about them -- because they're coming.

And as Schneier has pointed out, attacks never get worse.  They always
get better.

The best way to defend yourself WRT email is to use the simplest, smallest,
stupidest client possible.  I use and recommend mutt because it's quite
clearly the best available tool for the job.  However, for less-demanding
users, something like alpine may suffice.  The attack surface presented
by a client like mutt or alpine is small.

The worst way to defend yourself is to use a complex, huge, smart client.
The attack surface presented by a web browser like Firefox is enormous,
even more so if extensions are used, and still more so if the next
browser release undoes user settings (which has happened) or has new
settings set in a default-insecure state (which has happened) or breaks
extension functionality (which has happened) or has serious bugs (which
has happened).  And in the case of webmail, the browser interacts with
server-side code that has its own litany of issues, talking to a web
server backend that has...

A small mail client talking to a mail server with IMAP or POP involves a
heck of a lot less code and provides far fewer opportunities for mischief.

(And you can even mitigate some of that by using a tool like fetchmail
to pull mail down, and optionally pre-process/pre-sort it with procmail
before feeding it to your mail client.  If you get a lot of mail, and
especially if you get a lot of mail directed to role addresses, then I
highly recommend this.  If you do it well, it raises the bar for attackers
considerably -- because your mail client never talks to the server with
IMAP or POP, only with SMTP.  And you can eliminate the latter by running
your own local-only MTA instance that uses the real server as a smarthost,
thus isolating your mail client from all protocol-level attacks.)

Yes, there's a learning curve associated with this.  (But it's not a
steep one.) Yes, this means relying on external software to deal with
attachments, but that's a good thing.  (Hint: w3m is an excellent tool
for use with mutt.)  Yes, this means that you'll be writing your messages
in text.  (But you should be doing that anyway.)

I handle very large volumes of mail this way, from a diverse set of
correspondents scattered around the world using all kinds of mail
clients.  There are rarely any issues -- the much bigger problem is
my lack of time. ;)

---rsk
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug