Security News
OpenPGP project RNP has patched its flagship product after Mozilla Thunderbird, a major user, was found to be saving users' private keys in plain text. Still tracked as CVE-2021-29956, the number allocated to the Thunderbird vuln, the RNP bug has now been squashed.
Mozilla Thunderbird spent the last couple of months saving some users' OpenPGP keys in plain text - but that's now been patched, the author of both the bug and the patch fixing it has told The Register. The vulnerability, assessed as "Low" impact by Mozilla, existed in the free open source Thunderbird email client between version 78.8.1 and version 78.10.1 after a crestfallen maintainer realised carefully designed protections were in fact not protecting users' private OpenPGP keys.
Boffins testing the security of OpenPGP and S/MIME, two end-to-end encryption schemes for email, recently found multiple vulnerabilities in the way email client software deals with certificates and key exchange mechanisms. In a paper [PDF] titled "Mailto: Me Your Secrets. On Bugs and Features in Email End-to-End Encryption," presented earlier this summer at the virtual IEEE Conference on Communications and Network Security, Jens Müller, Marcus Brinkmann, and Joerg Schwenk and Damian Poddebniak and Sebastian Schinzel reveal how they were able to conduct key replacement, MITM decryption, and key exfiltration attacks on various email clients.
Boffins testing the security of OpenPGP and S/MIME, two end-to-end encryption schemes for email, recently found multiple vulnerabilities in the way email client software deals with certificates and key exchange mechanisms. In a paper [PDF] titled "Mailto: Me Your Secrets. On Bugs and Features in Email End-to-End Encryption," presented earlier this summer at the virtual IEEE Conference on Communications and Network Security, Jens Müller, Marcus Brinkmann, and Joerg Schwenk and Damian Poddebniak and Sebastian Schinzel reveal how they were able to conduct key replacement, MITM decryption, and key exfiltration attacks on various email clients.
"Hi all, Has anyone seen or heard from Kristian in the last month or so?" asked Todd Fleisher earlier this month - in fact, 11 June - on the main mailing list for an important cluster of OpenPGP key servers. Fiskerstrand, who had seemingly gone AWOL, issues cryptographic certificates to servers that join the SKS keyserver pools, allowing these volunteer machines to share the load in securely handling key lookup requests.
Somebody out there has taken a big dislike to Robert J. Hansen (‘rjh’) and Daniel Kahn Gillmor (‘dkg’), two well-regarded experts in the specialised world of OpenPGP email encryption.
Poisoned certificates are in the OpenPGP SKS keyserver network after an unknown threat actor targeted the OpenPGP certificates of two high-profile community contributors. read more
Researchers from three universities in Germany and Belgium say they have discovered attack methods that can be used by malicious actors to read emails encrypted with OpenPGP and S/MIME, but some...
