On 05/16/2018 09:05 PM, juan wrote:
On Wed, 16 May 2018 01:52:12 -0400 Steve Kinney <admin@pilobilus.net> wrote:
On 05/14/2018 01:48 PM, grarpamp wrote:
The EFAIL attacks break PGP and S/MIME email encryption by coercing clients into sending the full plaintext of the emails to the attacker.
Werner & Co. respond:
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html
Spoiler: If your e-mail client software is not borken and malconfigured, this is Not A Thing.
it doesn't have to be broken as far as I can tell. The trick to get your client to decrypt a message and send the plaintext conforms to the 'mime' protocol garbage.
It's a FEATURE not a bug!! =P
Aw, you know perfectly well what I mean: Friends don't let friends' e-mail software obey external commands to fetch and (worse) display or execute arbitrary content from arbitrary sources. "Active content" provides a vast array of practical attack vectors to those whose chosen tools /enable/ that content to do so. On purpose. For no reason half worth the exposure. By default, professional quality tools do no such thing unless prompted by the user, bless its pointy little head. Consider for example Mozilla Thunderbird: All-platform, full service on all fronts (access your webmail accounts via IMAP and render them as plain text, for God's sake!), and Free as in if you don't like it, go hack on the code yourself or hire it done to your specifications. :o)