![]() Outside of official standardization, Autocrypt is a "bottom-up" community attempt to fix PGP, but still falls victim to attacks on PGP involving authentication. However, attempts to update the OpenPGP standard have failed at the IETF except for adding modern cryptographic primitives. There have been an increasing number of attacks on the increasingly outdated primitives and complex clients used by the PGP eco-system. As time has marched on, the underlying cryptographic protocol has fallen out of date insofar as PGP is unauthenticated on a per message basis and compresses before encryption. ![]() Pretty Good Privacy (PGP) has long been the primary IETF standard for encrypting email, but suffers from widespread usability and security problems that have limited its adoption. Security and privacy → Symmetric cryptography and hash functions.We evaluate our approach by implementing the decryption contexts in Thunderbird/Enigmail and by verifying their correct functionality after the email has been transported over all major email providers, including Gmail and iCloud Mail. The proposed solution does not cause any interoperability problems and legacy emails can still be decrypted. The decryption context changes whenever an attacker alters the email source code in a critical way, for example, if the attacker changes the MIME structure or adds a new Reply-To header. Thus the proposed solution seamlessly extends the EFAIL-MG countermeasures. The decryp-tion context is encoded into a string DC and used as Associated Data (AD) in the AEAD encryption. We present the first generic countermeasure against both REPLY and EFAIL-DE attacks by checking the decryption context including SMTP headers and MIME structure during decryption. Instead, email clients implement a variety of different ad-hoc countermeasures which are only partially effective, cause interoperability problems, and fragment the secure email ecosystem. ![]() So far, no uniform and reliable countermeasures have been adopted by email clients to prevent EFAIL-DE and REPLY attacks. Although all three break message confidentiality by using standardized email features, only EFAIL-MG has been mitigated in IETF standards with the introduction of Authenticated Encryption with Associated Data (AEAD) algorithms. Three recent classes of attacks exploit weak cipher modes (EFAIL Malleability Gadgets, or EFAIL-MG), the flexibility of the MIME email structure (EFAIL Direct Exfiltration, or EFAIL-DE), and the Reply action of the email client (REPLY attacks). The download of the free Thunderbird is available here.OpenPGP and S/MIME are two major standards for securing email communication introduced in the early 1990s. The system requirements for the different operating system versions (see here for more details): Two security fixes were shipped, see the corresponding link in the release notes for details. In addition, various theme and UX improvements were made. Longer event names for multi-day events were not wrapped.The "loading" icon remained after a failed FileLink upload.FileLink privacy notifications remained in the creation window after all FileLink attachments were removed.FileLink attachments did not always show the FileLink provider icon.Addons were still active after restarting Thunderbird in troubleshooting mode with the "Disable all addons" option enabled.The "Private web page" field was not included when exporting a contact to a vCard.Messages saved as "html" or "eml" did not contain message headers.For virtual folders, folder selection was not preserved if a folder name contained non-ASCII characters.Account setup did not always preserve set values.Account setup did not support non-ASCII characters in passwords.Server hostnames were truncated in account management.Some messages with autocrypt headers loaded slowly, causing Thunderbird to hang.content locks) did not use contrasting theme colors URL input fields on content tabs incorrectly displayed a search glass icon on macOS.S/MIME signatures were displayed as invalid by Outlook.Temporary files created for forwarded attachments sometimes had the wrong extension.Saving attachments from IMAP accounts whose usernames contained special characters failed.Attachments that should be opened in Thunderbird, such as ICS attachments, were offered to save the file instead.Some fixes might fix the slow startup of the previous Thunderbird versions, which were also discussed here on the blog. According to the Thunderbird release notes, the update includes the following fixes. German blog reader 1ST1 has mentioned the update here (thanks).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |