In recent weeks, a theoretical downgrade attack against the new default encryption mode used by GnuPG 2.5 has been published. This comes two years after a theoretical downgrade attack was announced against GnuPG's new default *signature* format. Both issues have been addressed in the latest update to the official OpenPGP specification, but GnuPG has declared that it will not implement the fixes.

#gnupg #openpgp #librepgp

https://blog.pgpkeys.eu/security-issues-librepgp-2024-08.html

I gave a talk at #fosdem #fosdem2024.

Video and slides are now available:
https://fosdem.org/2024/schedule/event/fosdem-2024-2849--security-thunderbird-email-security-plans-and-challenges-/

#thunderbird #security #openpgp #librepgp #smime

I'm interested in your feedback on these thoughts. Either here, or, if your feedback is longer, for a discussion it might be best to post to
https://thunderbird.topicbox.com/groups/e2ee

Thanks a lot to the organizers of @fosdem and the modern email developer room.
https://github.com/modern-email/FOSDEM-24?tab=readme-ov-file#contact

If you use #GnuPG #GPG, and you would like to ensure interoperability with Thunderbird, you might consider to disable the use of #LibrePGP features, by using option --rfc4880 in your configuration (e.g. by adding a line with the word "rfc4880" to your gpg.conf file.)
At this time it is undecided whether future Thunderbird versions will support LibrePGP or the upcoming refresh of the #IETF #OpenPGP specification, or both, or none of them. Hopefully we'll eventually see a new universal standard.

Good writeup on the #openpgp #librepgp fork in c’t magazine (German, paywalled)

“The majority of the IETF OpenPGP working group has probably committed to the crypto-refresh draft and continues to work on finalising it.

Some members of the Open PGP community are afraid that there will be two incompatible standards in the future and it will be even more complicated for users to use PGP than it already is.”

https://www.heise.de/select/ct/2024/1/2334008195287180149

#LibrePGP is an alternative, updated specification of the #OpenPGP encryption standard.

Implementations like RNP (used by Thunderbird) and GnuPG (the crypto engine in Gpg4win) have working code in their implementations since 2018.

Read up on the different focus that https://librepgp.org/ sets for updating #OpenPGP.