On Tue, May 15, 2018 at 3:53 AM, Matt Sporleder <[email protected]> wrote:
> > > > On May 15, 2018, at 12:55 AM, Dave Huang <[email protected]> wrote: > > > >> On 5/14/2018 18:59, George Georgalis wrote: > >> What exactly is the threat? All I can put together is an attacker can > encrypt a malicious html email which, when rendered, makes http requests. > Not always a good thing, but no different than if a victim renders > non-encrypted html email anyway. Is that correct? > > > > My understanding is that if an attacker can pose as a man-in-the-middle > for your email, they can modify an encrypted email so that when you receive > it, it'll send the decrypted email to the attacker. > > > > -- > > > > This was my understanding of the most obvious attack as well. > > Another one might be to email someone an encrypted file you ready have to > get it decrypted for you (passwords.txt.pgp found in your company git repo > or something) > Well, we certainly wouldn't want that decrypted as part of an HTTP GET request! Thanks for your comment. -George -- George Georgalis, (415) 894-2710, http://www.galis.org/
