EFail - OpenPGP S/MIME Vulnerability
catskillmarina at gmail.com
Mon May 14 23:24:30 PDT 2018
On 05/15/2018 02:14 AM, Mirimir wrote:
> On 05/14/2018 06:05 PM, Marina Brown wrote:
>> On 05/14/2018 07:49 PM, Mirimir wrote:
>>> On 05/14/2018 06:48 AM, grarpamp wrote:
>>>> The EFAIL attacks break PGP and S/MIME email encryption by coercing
>>>> clients into sending the full plaintext of the emails to the attacker.
>>>> In a nutshell, EFAIL abuses active content of HTML emails, for example
>>>> externally loaded images or styles, to exfiltrate plaintext through
>>>> requested URLs. To create these exfiltration channels, the attacker
>>>> first needs access to the encrypted emails, for example, by
>>>> eavesdropping on network traffic, compromising email accounts, email
>>>> servers, backup systems or client computers. The emails could even
>>>> have been collected years ago.
>>> Thanks. That's the clearest explanation I've seen.
>> Remember the campaign against HTML email ? I do.
>> We were right.
>> --- Marina
> Right, and its evil child, remote content.
> I always disable HTML. And fetching of remote content.
> And I have since the 90s. I got that from this list :)
> It's funny that these exploits depend on both. And that some on HN put
> it all on pgp/gpg, arguing that one can't expect users to know this
> stuff. By default, Thunderbird does render HTML. But at least it doesn't
> fetch remote content. So Thunderbird+Enigmail users should be safe.
Honestly i'm missing PINE and ELM right about now.
More information about the cypherpunks