On 05/16/2018 01:27 PM, Shawn K. Quinn wrote:
On 05/15/2018 12:05 AM, Marina Brown wrote:
Remember the campaign against HTML email ? I do. We were right.
The campaign is still ongoing. Maybe we have lost in the case of the vast majority of marketing/advertising lists, but Thunderbird and other email clients (thankfully) offer the option to not automatically load external links by default.
The default in a fresh Thunderbird install is to _not_ fetch remote resources. I've verified that in an Ubuntu LiveCD.
I do think a future version (actually, the next version) of Thunderbird and/or Enigmail need to put up a big huge "danger" warning when they detect HTML email mixed with encrypted content, especially when it looks like someone has tried to put an encrypted blob as the destination of a link (which as I understand it, is how this exploit works). There's no good reason to do this, and plenty of bad reasons.
That's a great idea. The best solution, I believe, would be a tweak to GnuPG that entirely breaks HTML and embedded remote content. That would protect against Efail, no matter how email clients were configured. It'd also protect against other exploits that depend on fetching remote content. And it wouldn't require users to entirely forgo HTML and embedded remote content. Just with GnuPG.