EFail - OpenPGP S/MIME Vulnerability

Mirimir mirimir at riseup.net
Wed May 16 17:58:13 PDT 2018

On 05/16/2018 01:27 PM, Shawn K. Quinn wrote:
> On 05/15/2018 12:05 AM, Marina Brown wrote:
>> Remember the campaign against HTML email ? I do.
>> We were right.
> The campaign is still ongoing. Maybe we have lost in the case of the
> vast majority of marketing/advertising lists, but Thunderbird and other
> email clients (thankfully) offer the option to not automatically load
> external links by default.

The default in a fresh Thunderbird install is to _not_ fetch remote
resources. I've verified that in an Ubuntu LiveCD.

> I do think a future version (actually, the next version) of Thunderbird
> and/or Enigmail need to put up a big huge "danger" warning when they
> detect HTML email mixed with encrypted content, especially when it looks
> like someone has tried to put an encrypted blob as the destination of a
> link (which as I understand it, is how this exploit works). There's no
> good reason to do this, and plenty of bad reasons.

That's a great idea.

The best solution, I believe, would be a tweak to GnuPG that entirely
breaks HTML and embedded remote content. That would protect against
Efail, no matter how email clients were configured. It'd also protect
against other exploits that depend on fetching remote content. And it
wouldn't require users to entirely forgo HTML and embedded remote
content. Just with GnuPG.

More information about the cypherpunks mailing list