On 05/14/2018 01:48 PM, grarpamp wrote:
https://efail.de/ https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html https://efail.de/efail-attack-paper.pdf https://twitter.com/matthew_d_green/status/995989254143606789 https://news.ycombinator.com/item?id=17064129 https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilitie... https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smim...
The EFAIL attacks break PGP and S/MIME email encryption by coercing clients into sending the full plaintext of the emails to the attacker. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.
Hmm. No time to dig into this just now, but at first glance: "EFAIL abuses active content of HTML emails" ... indicating that this attack would most likely affect people who run wide-open systems. Take away: E-mail messages != web pages, and processing them as such invites a world of stupidly unnecessary problems.