EFAIL (aka GPG vulnerability, or actually, much ado about very little...)

fletcherlynd

New member
I guess everybody here is well informed and up to date with the latest finding about PGP security, but just in case, today a group of researchers has officially published a paper regarding some vulnerabilities they have discovered. I've added below the relevant link for those interested.

To sum up: those vulnerabilities are not exactly related to PGP/GPG per se, but affect the mail clients, or actually the way some mail clients are configured, so check out the list at the bottom of the research and if you use any of those highlighted in red take appropriate actions (hint: avoid the blind and automatic opening of links and avoid html if possible since plain text is always safer. But more importantly: never ignore the warnings given by your email client!).

Obviously, if your mail client is highlighted in green, you are safe and sound ;-)

Efail description, PDF paper and FAQ:
https://efail.de/

I think it's only fair to give voice to GPG as well, so here below a statement from the creators and maintainers of GPG that provide very useful details, if you are in a hurry, I'll just quote their last paragraph referred to the authors of the Efail paper:----
The authors have done the community a good service by cataloguing buggy
email email clients. We're grateful to them for that. We do wish,
though, this thing had been handled with a little less hype. A whole
lot of people got scared, and over very little.----

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html