On Tue, May 15, 2018 at 9:37 AM, Grant Taylor < [email protected]> wrote:
> On 05/15/2018 10:09 AM, John Levine wrote: > >> I suppose, for the 10 seconds from the time the message is created until >> the attacker's MTA signs it on the way out. The bad guy can put a return >> address he controls on the malicious message and make the whole thing DMARC >> compliant. >> > > There is a much larger attack window than that. > > If an attacker gets a copy of an encrypted message, any where at any time, > they can craft a new completely unrelated message that includes the > ciphertext and coerce the receiving MUA to decrypt it and exfiltrate the > cleartext. > People who run their GUI MUA to auto-decrypt and display undefanged HTML probably also run that client as root so the exploit is really quite a lot more risky than even the hype has made out. --Kurt
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
