resist.berlin is a user on chaos.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
resist.berlin @resist_berlin
Follow

Can we also please talk about the need to MITM the encrypted message first before one can launch any attack? Thanks to ubiquitous TLS, this seems to be the much more difficult feat to pull off these days (unless you have considerable resources). The cost of targeting and MITMing a given user is gigantic.

Telling the general public to uninstall GPG extensions is really silly, they should do the opposite. And install updates and disable html, ffs. Everything else is just FUD 😩

Β· Web Β· 16 Β· 16

@resist_berlin It never ceases to amaze me how turning off automatic patching is a required thing in many environments.

@resist_berlin True, but hey: the point of PGP is e2e encryption. So an attacker on the server or similar is totally in the attack scenario.

@rugk Yes, but getting on the server still requires considerable resources. It does not justify scaring the general public.

The article and many commentators seem to assume that intercepting someones e-mails is as easy as sitting next to your target and running Wireshark for a bit. Or even that you can somehow magically obtain them. That is a thing of the past - MITM is quite difficult nowadays.

@rugk I get your point, but people are simply not discussing e2e *on top of* TLS. They make it sound as if everything is broken and everyone should act now. Which I think is irresponsible.

@rugk you have a point though when someone is using GPG with Gmail, they have forwarded your mailbox to the NSA and the NSA is indeed interested in you. That would fulfill the MITM condition. Even then you need an outdated Enigmail, your mail software must render html and decrypt stuff automatically for the attack to work. And you would immediately notice it because you receive e-mails more than once. *pondering*

Trojans taking screenshots are a much bigger threat, and they're very real... πŸ’©

mention of possibility of deaths Show more

mention of possibility of deaths Show more

@resist_berlin I wonder how many mail servers will refuse to connect in plaintext to another SMTP server if it doesn't advertise the STARTTLS capability?

@seanl My provider has an optional TLS guarantee and will then absolutely refuse to send e-mails when server-to-server TLS is not possible. Me likey. More information about their TLS config here:

posteo.de/en/site/encryption#d

Can't speak for other providers though...

@seanl (and only once it rejected sending the mail so far, so TLS seems to be really widespread by now. Interestingly, the server unable to use TLS was my landlord's 😬 )

@resist_berlin right, someone has to steal my encrypted messages first before he can even try to pull this off (which will then fail in 99% of the cases)

but the general public has no clue what GPG even is. it's much ado about nothing. so... back to business as usual. /cc @amdt

@steckerhalter @resist_berlin Absolutely irresponsible behaviour from the security researcher involved to be frank!