[Chugalug] PGP Broken. Long Live PGP

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Chugalug] PGP Broken. Long Live PGP

Stephen Kraus
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] PGP Broken. Long Live PGP

Joel Swanson-2
Great subject line, Stephen.

Does anyone know of another asymmetric encryption protocol that
addresses some of PGP's design weaknesses? I'd love to use something
like Signal, but I prefer using open protocols rather than particular
projects' products.

Thanks!

Joel Swanson


On 05/15/2018 02:00 PM, [hidden email] wrote:

> Send Chugalug mailing list submissions to
> [hidden email]
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
> or, via email, send a message with subject or body 'help' to
> [hidden email]
>
> You can reach the person managing the list at
> [hidden email]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Chugalug digest..."
>
>
> Today's Topics:
>
>     1. PGP Broken. Long Live PGP (Stephen Kraus)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 14 May 2018 08:56:08 -0400
> From: Stephen Kraus <[hidden email]>
> To: CHUGALUG <[hidden email]>
> Subject: [Chugalug] PGP Broken. Long Live PGP
> Message-ID:
> <CAN1egVA3n8==gEJmCGKRhU2tZ4_SHDUq1=[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://chugalug.org/pipermail/chugalug/attachments/20180514/1102ef5e/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Chugalug mailing list
> [hidden email]
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
> ------------------------------
>
> End of Chugalug Digest, Vol 20, Issue 12
> ****************************************
>

--
Joel Swanson    +33.7.82.95.31.62
SIP:     [hidden email]
mail:  [hidden email]

Sécurisez vos mails et vérifiez ma signature : emailselfdefense.fsf.org
GPG empreinte : 66FDB62FDE0B70AF

Secure your emails and verify my signature: emailselfdefense.fsf.org
GPG fingerprint: 66FDB62FDE0B70AF
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] PGP Broken. Long Live PGP

Keith
A couple of things:

1) Isn’t Signal Open Source and using open protocols already?
2) My understanding of the E-Fail exploit is that it is not an issue with the PGP encryption itself, it’s an issue with the way email clients/plug-ins are implementing it. 

On Tue, May 15, 2018 at 12:40 PM Joel <[hidden email]> wrote:
Great subject line, Stephen.

Does anyone know of another asymmetric encryption protocol that
addresses some of PGP's design weaknesses? I'd love to use something
like Signal, but I prefer using open protocols rather than particular
projects' products.

Thanks!

Joel Swanson


On 05/15/2018 02:00 PM, [hidden email] wrote:
> Send Chugalug mailing list submissions to
>       [hidden email]
>
> To subscribe or unsubscribe via the World Wide Web, visit
>       http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
> or, via email, send a message with subject or body 'help' to
>       [hidden email]
>
> You can reach the person managing the list at
>       [hidden email]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Chugalug digest..."
>
>
> Today's Topics:
>
>     1. PGP Broken. Long Live PGP (Stephen Kraus)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 14 May 2018 08:56:08 -0400
> From: Stephen Kraus <[hidden email]>
> To: CHUGALUG <[hidden email]>
> Subject: [Chugalug] PGP Broken. Long Live PGP
> Message-ID:
>       <CAN1egVA3n8==gEJmCGKRhU2tZ4_SHDUq1=[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://chugalug.org/pipermail/chugalug/attachments/20180514/1102ef5e/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Chugalug mailing list
> [hidden email]
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
> ------------------------------
>
> End of Chugalug Digest, Vol 20, Issue 12
> ****************************************
>

--
Joel Swanson    +33.7.82.95.31.62
SIP:     [hidden email]
mail:  [hidden email]

Sécurisez vos mails et vérifiez ma signature : emailselfdefense.fsf.org
GPG empreinte : 66FDB62FDE0B70AF

Secure your emails and verify my signature: emailselfdefense.fsf.org
GPG fingerprint: 66FDB62FDE0B70AF
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] PGP Broken. Long Live PGP

Stephen Kraus
The problem is that the misconfiguration results in retrieving an decrypted message whereas it should cause an error and fail to decrypt.

That's the bug. Yes, its easily fixed with ensuring the user has his setup configured correctly, but PGP also needs to ensure that it doesn't result in it spitting out decrypted messages rather than alerting the user to an error while maintaining encryption.

On Tue, May 15, 2018 at 12:59 PM, Keith <[hidden email]> wrote:
A couple of things:

1) Isn’t Signal Open Source and using open protocols already?
2) My understanding of the E-Fail exploit is that it is not an issue with the PGP encryption itself, it’s an issue with the way email clients/plug-ins are implementing it. 

On Tue, May 15, 2018 at 12:40 PM Joel <[hidden email]> wrote:
Great subject line, Stephen.

Does anyone know of another asymmetric encryption protocol that
addresses some of PGP's design weaknesses? I'd love to use something
like Signal, but I prefer using open protocols rather than particular
projects' products.

Thanks!

Joel Swanson


On 05/15/2018 02:00 PM, [hidden email] wrote:
> Send Chugalug mailing list submissions to
>       [hidden email]
>
> To subscribe or unsubscribe via the World Wide Web, visit
>       http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
> or, via email, send a message with subject or body 'help' to
>       [hidden email]
>
> You can reach the person managing the list at
>       [hidden email]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Chugalug digest..."
>
>
> Today's Topics:
>
>     1. PGP Broken. Long Live PGP (Stephen Kraus)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 14 May 2018 08:56:08 -0400
> From: Stephen Kraus <[hidden email]>
> To: CHUGALUG <[hidden email]>
> Subject: [Chugalug] PGP Broken. Long Live PGP
> Message-ID:
>       <CAN1egVA3n8==gEJmCGKRhU2tZ4_SHDUq1=[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://chugalug.org/pipermail/chugalug/attachments/20180514/1102ef5e/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Chugalug mailing list
> [hidden email]
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
> ------------------------------
>
> End of Chugalug Digest, Vol 20, Issue 12
> ****************************************
>

--
Joel Swanson    +33.7.82.95.31.62
SIP:     [hidden email]
mail:  [hidden email]

Sécurisez vos mails et vérifiez ma signature : emailselfdefense.fsf.org
GPG empreinte : 66FDB62FDE0B70AF

Secure your emails and verify my signature: emailselfdefense.fsf.org
GPG fingerprint: 66FDB62FDE0B70AF
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] PGP Broken. Long Live PGP

Sean Brewer
In reply to this post by Joel Swanson-2
Signal's protocol and software is open and has been from the start. You can find the source for the various Signal applications and the protocol libraries they maintain here: https://github.com/signalapp


On Tue, May 15, 2018 at 12:40 PM, Joel <[hidden email]> wrote:
Great subject line, Stephen.

Does anyone know of another asymmetric encryption protocol that addresses some of PGP's design weaknesses? I'd love to use something like Signal, but I prefer using open protocols rather than particular projects' products.

Thanks!

Joel Swanson


On 05/15/2018 02:00 PM, [hidden email] wrote:
Send Chugalug mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Chugalug digest..."


Today's Topics:

    1. PGP Broken. Long Live PGP (Stephen Kraus)


----------------------------------------------------------------------

Message: 1
Date: Mon, 14 May 2018 08:56:08 -0400
From: Stephen Kraus <[hidden email]>
To: CHUGALUG <[hidden email]>
Subject: [Chugalug] PGP Broken. Long Live PGP
Message-ID:
        <CAN1egVA3n8==gEJmCGKRhU2tZ4_SHDUq1=[hidden email]>
Content-Type: text/plain; charset="utf-8"

https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20180514/1102ef5e/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


------------------------------

End of Chugalug Digest, Vol 20, Issue 12
****************************************


--
Joel Swanson    +33.7.82.95.31.62
SIP:     [hidden email]
mail:  [hidden email]

Sécurisez vos mails et vérifiez ma signature : emailselfdefense.fsf.org
GPG empreinte : 66FDB62FDE0B70AF

Secure your emails and verify my signature: emailselfdefense.fsf.org
GPG fingerprint: 66FDB62FDE0B70AF
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug