Hi all, I was looking at a CERT security advisory today that describes an attack using the application/pgp-encrypted mime type to decrypt sensitive information, however the attack scenario, doesn't make a lot of sense to me.
https://www.kb.cert.org/vuls/id/122919 https://efail.de/efail-attack-paper.pdf What exactly is the threat? All I can put together is an attacker can encrypt a malicious html email which, when rendered, makes http requests. Not always a good thing, but no different than if a victim renders non-encrypted html email anyway. Is that correct? The paper seems to suggest that an attacker collecting encrypted data (emails) of a victim may then decipher them if the malicious html/pgp email is decrypted by the victim, because secret data (private key) is sent to the attacker's webserver. Could someone clarify how this attack scenario plays out? Are these pgp/html mail clients actually so broke that they would send crypto secrets as part of an http request while rendering a malicious email? -George -- George Georgalis, (415) 894-2710, http://www.galis.org/
