On 05/26/2018 11:18 AM, Aleksandar Lazic wrote:
Note also that mail encryption is currently NOT secure
(CVE-2017-17688): https://efail.de/
Please be more precise!
https://efail.de/#mitigations
The encryption is still secure.
The attack works because of *not good* gpg/smime implementation in the
mail clients.
Yes: my statement was in "short form", with a link for details.
The problem is actually not encryption, but MUAs not respecting the mime
structure of received composite mails at some level.
Thunderbird/Enigmail, which is mentioned by Alain, fixes it in 52.8
(https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/) which
is very young (May 18, 2018) thus not likely to be installed on most
workstations.
The bottom line for me is, don't use HTML emails!
Plaintext mails are still secure, IMHO.
No they aren't: the HTML leading and trailing parts are supposed to be
forged by a MITM before reaching the recipient's MUA, therefore out of
sender's or recipient's control.
In any case, this is out of curl scope: I wrote this note just to bring
Alain's attention on it.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
