<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">FYI, don’t use PGP till they figure out a solution.<br><div><br>Begin forwarded message:<br><br></div><blockquote type="cite"><div><b>From:</b> nash via EFA <<a href="mailto:efa@lists.eff.org">efa@lists.eff.org</a>><br><b>Date:</b> May 14, 2018 at 16:58:56 CST<br><b>To:</b> <a href="mailto:efa@lists.eff.org">efa@lists.eff.org</a><br><b>Subject:</b> <b>[EFA] An urgent notice to our Electronic Frontier Alliance allies regarding PGP and S/MIME communications.</b><br><b>Reply-To:</b> nash <<a href="mailto:nash@eff.org">nash@eff.org</a>><br><br></div></blockquote><blockquote type="cite"><div>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><b style="font-weight:normal;" id="docs-internal-guid-3688abbe-60d8-7c37-f0dd-61699c951d7f"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;"><a class="moz-txt-link-freetext" href="https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0">https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0</a></span></b></p>
<b style="font-weight:normal;" id="docs-internal-guid-3688abbe-60d8-7c37-f0dd-61699c951d7f"> <br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Dear EFA allies,</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">As many of you provide digital security training and support for activists within your communities, we wanted to make sure you are aware of the recently disclosed vulnerabilities in PGP and S/MIME. While not cause for panic, we do think it is responsible to advise those who may be using either for sensitive communication to disable these tools for the time being. </span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">A group of European security researchers has released a warning about a set of vulnerabilities in both protocols. EFF has been in communication with the research team and can confirm that these vulnerabilities pose an immediate risk to those using PGP or S/MIME for email communication, </span><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">including the potential exposure of the contents of past messages</span><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">.</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, </span><a href="https://ssd.eff.org/en/module/how-use-signal-android" style="text-decoration:none;"><span style="font-size:11pt;font-family:Arial;color:#1155cc;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;-webkit-text-decoration-skip:none;text-decoration-skip-ink:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">such as</span></a><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;"> </span><a href="https://ssd.eff.org/en/module/how-use-signal-ios" style="text-decoration:none;"><span style="font-size:11pt;font-family:Arial;color:#1155cc;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;-webkit-text-decoration-skip:none;text-decoration-skip-ink:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Signal</span></a><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">, and temporarily stop sending and especially reading PGP-encrypted email.</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><b><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Please refer to these guides on how to temporarily disable PGP plug-ins in:</span></b></p>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">
</span></p>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Thunderbird with Enigmail</span></p>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;"><a class="moz-txt-link-freetext" href="https://www.eff.org/deeplinks/2018/05/disabling-pgp-thunderbird-enigmail">https://www.eff.org/deeplinks/2018/05/disabling-pgp-thunderbird-enigmail</a></span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Apple Mail with GPGTools</span></p>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;"><a class="moz-txt-link-freetext" href="https://www.eff.org/deeplinks/2018/05/disabling-pgp-apple-mail-gpgtools">https://www.eff.org/deeplinks/2018/05/disabling-pgp-apple-mail-gpgtools</a></span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Outlook with Gpg4win</span></p>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;"><a class="moz-txt-link-freetext" href="https://www.eff.org/deeplinks/2018/05/disabling-pgp-outlook-gpg4win">https://www.eff.org/deeplinks/2018/05/disabling-pgp-outlook-gpg4win</a></span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">These steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community.</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Please feel free to forward this message to those who may be affected.</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Thank you, as ever, for all your work,</span></p>
</b>
<pre class="moz-signature" cols="72">--
nash
Grassroots Advocacy Organizer
Electronic Frontier Foundation
815 Eddy St
San Francisco, CA 94109
415-436-9333 ext 184
<a class="moz-txt-link-abbreviated" href="mailto:nash@eff.org">nash@eff.org</a>
Become A Member! <a class="moz-txt-link-freetext" href="https://www.eff.org/join">https://www.eff.org/join</a>
Learn more about digital security at <a class="moz-txt-link-freetext" href="https://ssd.eff.org/">https://ssd.eff.org/</a>.
Check out tools for encrypting the web at <a class="moz-txt-link-freetext" href="https://www.eff.org/encrypt-the-web">https://www.eff.org/encrypt-the-web</a></pre>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>EFA mailing list</span><br><span><a href="mailto:EFA@lists.eff.org">EFA@lists.eff.org</a></span><br><span><a href="https://lists.eff.org/mailman/listinfo/efa">https://lists.eff.org/mailman/listinfo/efa</a></span></div></blockquote></body></html>