EFail - OpenPGP S/MIME Vulnerability

[admin at pilobilus.net (Steve Kinney)]

On 05/14/2018 01:48 PM, grarpamp wrote:
> https://efail.de/
> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
> https://efail.de/efail-attack-paper.pdf
> https://twitter.com/matthew_d_green/status/995989254143606789
> https://news.ycombinator.com/item?id=17064129
> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
> https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/
> 
> 
> The EFAIL attacks break PGP and S/MIME email encryption by coercing
> clients into sending the full plaintext of the emails to the attacker.
> In a nutshell, EFAIL abuses active content of HTML emails, for example
> externally loaded images or styles, to exfiltrate plaintext through
> requested URLs. To create these exfiltration channels, the attacker
> first needs access to the encrypted emails, for example, by
> eavesdropping on network traffic, compromising email accounts, email
> servers, backup systems or client computers. The emails could even
> have been collected years ago.

Hmm.  No time to dig into this just now, but at first glance:

"EFAIL abuses active content of HTML emails"

... indicating that this attack would most likely affect people who run
wide-open systems.  Take away:  E-mail messages != web pages, and
processing them as such invites a world of stupidly unnecessary problems.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20180514/e8fccac7/attachment.sig>