[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
EFail - OpenPGP S/MIME Vulnerability
- Subject: EFail - OpenPGP S/MIME Vulnerability
- From: catskillmarina at gmail.com (Marina Brown)
- Date: Tue, 15 May 2018 01:05:30 -0400
- In-reply-to: <[email protected]>
- References: <CAD2Ti2_u_=Tvvp0nGwGkvj1pUKj+UAn9UdhkGKfr_DVpb2hQWg@mail.gmail.com> <[email protected]>
On 05/14/2018 07:49 PM, Mirimir wrote:
> On 05/14/2018 06:48 AM, grarpamp wrote:
>> https://efail.de/
>> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
>> https://efail.de/efail-attack-paper.pdf
>> https://twitter.com/matthew_d_green/status/995989254143606789
>> https://news.ycombinator.com/item?id=17064129
>> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
>> https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/
>>
>>
>> The EFAIL attacks break PGP and S/MIME email encryption by coercing
>> clients into sending the full plaintext of the emails to the attacker.
>> In a nutshell, EFAIL abuses active content of HTML emails, for example
>> externally loaded images or styles, to exfiltrate plaintext through
>> requested URLs. To create these exfiltration channels, the attacker
>> first needs access to the encrypted emails, for example, by
>> eavesdropping on network traffic, compromising email accounts, email
>> servers, backup systems or client computers. The emails could even
>> have been collected years ago.
>
> Thanks. That's the clearest explanation I've seen.
>
Remember the campaign against HTML email ? I do.
We were right.
--- Marina