[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] tor-talk Digest, Vol 88, Issue 13



> Message: 1
> Date: Mon, 14 May 2018 19:01:32 -0800
> From: I <beatthebastards@xxxxxxxxx>
> To: tor-talk@xxxxxxxxxxxxxxxxxxxx
> Subject: [tor-talk] PGP fiddly-diddly - action required
> Message-ID: <9CD1BA536D3.00000641beatthebastards@xxxxxxxxx>
> Content-Type: text/plain; charset=US-ASCII
> 
> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
> 

This is terribly misrepresented in the press.

There is no problem with the encryption!

The issue is that mail clients are insecurely designed or insecurely configured by users to accept HTML commands to send
out clear text content after decryption. This falls into the more general category of, "Stop being stupid!"

Set your mail client to TEXT ONLY and stop automatically processing someone else's commands on your machine.

If you absolutely can't live without colored fonts and pretty layouts in your email, at least limit the HTML processing
to local content only, in Thunderbird this is called, "Simple HTML."

Full HTML processing (Thunderbird "Original HTML") will reach out to the Internet and do things you may not like,
ranging from confirming you opened the email, exposing your direct IP address, to sending back your now un-encrypted
full content.

Many email clients even support running Javascript or other embedded code. If you enable these features, you may also
wish to roll yourself in butter and seasoned breadcrumbs.

Again, PGP/GPG is just fine, stop doing foolish things.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk