On 05/14/2018 01:48 PM, grarpamp wrote: > https://efail.de/ > https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html > https://efail.de/efail-attack-paper.pdf > https://twitter.com/matthew_d_green/status/995989254143606789 > https://news.ycombinator.com/item?id=17064129 > https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now > https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/ > > > The EFAIL attacks break PGP and S/MIME email encryption by coercing > clients into sending the full plaintext of the emails to the attacker. > In a nutshell, EFAIL abuses active content of HTML emails, for example > externally loaded images or styles, to exfiltrate plaintext through > requested URLs. To create these exfiltration channels, the attacker > first needs access to the encrypted emails, for example, by > eavesdropping on network traffic, compromising email accounts, email > servers, backup systems or client computers. The emails could even > have been collected years ago.
Hmm. No time to dig into this just now, but at first glance: "EFAIL abuses active content of HTML emails" ... indicating that this attack would most likely affect people who run wide-open systems. Take away: E-mail messages != web pages, and processing them as such invites a world of stupidly unnecessary problems.
signature.asc
Description: OpenPGP digital signature
