EFail - OpenPGP S/MIME Vulnerability

Steve Kinney admin at pilobilus.net
Wed May 16 22:30:09 PDT 2018

On 05/16/2018 09:05 PM, juan wrote:
> On Wed, 16 May 2018 01:52:12 -0400
> Steve Kinney <admin at pilobilus.net> wrote:
>> On 05/14/2018 01:48 PM, grarpamp wrote:
>>> The EFAIL attacks break PGP and S/MIME email encryption by coercing
>>> clients into sending the full plaintext of the emails to the
>>> attacker.
>> Werner & Co. respond:
>> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html
>> Spoiler:  If your e-mail client software is not borken and
>> malconfigured, this is Not A Thing.
> 	it doesn't have to be broken as far as I can tell. The trick to
> 	get your client to decrypt a message and send the plaintext
> 	conforms to the 'mime' protocol garbage. 
> 	It's a FEATURE not a bug!! =P

Aw, you know perfectly well what I mean:  Friends don't let friends'
e-mail software obey external commands to fetch and (worse) display or
execute arbitrary content from arbitrary sources.  "Active content"
provides a vast array of practical attack vectors to those whose chosen
tools /enable/ that content to do so.  On purpose.  For no reason half
worth the exposure.

By default, professional quality tools do no such thing unless prompted
by the user, bless its pointy little head.  Consider for example Mozilla
Thunderbird:  All-platform, full service on all fronts (access your
webmail accounts via IMAP and render them as plain text, for God's
sake!), and Free as in if you don't like it, go hack on the code
yourself or hire it done to your specifications.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20180517/c0222263/attachment-0002.sig>

More information about the cypherpunks mailing list