On 05/14/2018 06:05 PM, Marina Brown wrote: > On 05/14/2018 07:49 PM, Mirimir wrote: >> On 05/14/2018 06:48 AM, grarpamp wrote: >>> https://efail.de/ >>> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html >>> https://efail.de/efail-attack-paper.pdf >>> https://twitter.com/matthew_d_green/status/995989254143606789 >>> https://news.ycombinator.com/item?id=17064129 >>> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now >>> >>> https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/ >>> >>> >>> >>> The EFAIL attacks break PGP and S/MIME email encryption by coercing >>> clients into sending the full plaintext of the emails to the attacker. >>> In a nutshell, EFAIL abuses active content of HTML emails, for example >>> externally loaded images or styles, to exfiltrate plaintext through >>> requested URLs. To create these exfiltration channels, the attacker >>> first needs access to the encrypted emails, for example, by >>> eavesdropping on network traffic, compromising email accounts, email >>> servers, backup systems or client computers. The emails could even >>> have been collected years ago. >> >> Thanks. That's the clearest explanation I've seen. >> > > > Remember the campaign against HTML email ? I do. > We were right. > > --- Marina
Right, and its evil child, remote content. I always disable HTML. And fetching of remote content. And I have since the 90s. I got that from this list :) It's funny that these exploits depend on both. And that some on HN put it all on pgp/gpg, arguing that one can't expect users to know this stuff. By default, Thunderbird does render HTML. But at least it doesn't fetch remote content. So Thunderbird+Enigmail users should be safe.
