[PGP/GPG email plugin] stop it! (for a while)

Discussione:

(troppo vecchio per rispondere)

pino

2018-05-15 19:06:52 UTC

<https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0>
<https://tinyurl.com/yc2utlv6>

VITRIOL

2018-05-15 19:14:03 UTC

Permalink

Post by pino
<https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0>
<https://tinyurl.com/yc2utlv6>

<https://protonmail.com/blog/pgp-vulnerability-efail/>

--
Saluti
VITRIOL

pino

2018-05-15 19:24:49 UTC

Permalink

Post by VITRIOL

Post by pino
<https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0>
<https://tinyurl.com/yc2utlv6>

<https://protonmail.com/blog/pgp-vulnerability-efail/>
Apply updates to your PGP software when they become available (if necessary).
Because the vulnerabilities are in the PGP implementations and not the OpenPGP
protocol itself, these bugs are very easy for PGP plugin developers to patch.
Or you can switch to using ProtonMail which is not susceptible to the Efail
vulnerabilities.

TLDR: aggiornare o usare altro (Protonmail). Estyqatsy?

cmq mica volevo affossare il meraviglioso PGP/GPG, neh

VITRIOL

2018-05-15 19:31:46 UTC

Permalink

Post by pino
cmq mica volevo affossare il meraviglioso PGP/GPG, neh

Era solo per specificare :-)
Ovvio che l'articolo è di parte, ma mi sembrava abbastanza chiaro. La
vulnerabilità non è nel sistema crittografico in sè, ma al limite nel
software che lo implementa. Ed è un difetto facilmente correggibile.

--
Saluti
VITRIOL

pino

2018-05-16 12:49:52 UTC

Permalink

Post by VITRIOL

Post by pino
cmq mica volevo affossare il meraviglioso PGP/GPG, neh

Chi è interessato, leggendo [il mio linkato] già capisce qui:

{cut}

Post by VITRIOL
What's Being Done to Fix this Vulnerability
It’s possible to fix the specific exploits that allow messages to be
exfiltrated: namely, do better than the standard says by not rendering
messages if their integrity checks don’t check out. Updating the protocol and
patching vulnerable software applications would address this specific issue.

{cut}

Post by VITRIOL
PGP usage was always complicated and error-prone; with this new vulnerability,
it is currently almost impossible to give simple, reliable instructions on how
to use it with modern email clients.

{cut}

Post by VITRIOL
We Need To Be Better Than Pretty Good
The flaw that the researchers exploited in PGP was known for many years as a
theoretical weakness in the standard—one of many initially minor problems with
PGP that have grown in significance over its long life.

{cut}

Post by VITRIOL
Many will use today’s revelations as an opportunity to highlight PGP’s
numerous issues with usability and complexity, and demand better.

{¢ut}

Post by VITRIOL
We’re taking this latest announcement as a wake-up call to everyone in the
infosec and digital rights communities: not to pile on recriminations or
criticisms of PGP and its dedicated, tireless, and largely unfunded developers
and supporters, but to unite and work together to re-forge what it means to be
the best privacy tool for the 21st century.

{cut}

cioè nell'articolo non si parla mai di problemi di sicurezza nella crittatura
di PGP/GPG ma di problemi di sicurezza (*già noti da tempo ma sottovalutati*)
nei SW che implementano PGP/GPG.

Poi, essendo EFF, invece di fare sviolinate a Protonmail (che pure io uso),
consigliano altro:

{cut}

Post by VITRIOL
EFF’s recommendations: Disable or uninstall PGP email plugins for now. Do not
decrypt encrypted PGP messages that you receive. Instead, use non-email based
messaging platforms, like Signal, for your encrypted messaging needs. Use
offline tools to decrypt PGP messages you have received in the past. Check for
updates at our Surveillance Self-Defense site regarding client updates and
improved secure messaging systems.

TLDR: ho scritto un subject allarmante e fuorviante ma ti ringrazio per il link
che hai aggiunto