Am 06.06.2018 um 10:04 schrieb Werner Koch: > On Mon, 21 May 2018 19:11, r...@sixdemonbag.org said: > >> Efail is not just an HTML rendering bug. It includes very real >> attacks against S/MIME as it's used by thousands of corporations. > > I have not yet seen any hints on how a back-channel within the S/MIME > protocol can work. There are claims that this can be done with CRLs and > OCSP but that all requires substantial implementaion bugs in the S/MIME > engines. The paper presents only vague ideas. Did I miss something?
A backchannel in a technology is not a vulnerability per se. At its core, the Efail CBC/CFB gadget attack modifies a ciphertext in a way that it *exfiltrates its own plaintext* when opened. The paper shows that this is practical for HTML email clients. The generic concept of the CBC/CFB gadget attack, however, is neither limited to HTML, nor to emails. It is plausible to transform the attack to other data formats supporting backchannels. It's up to the creativity of the attacker to come up with other scenarios. Adam Langley touched another scenario already in 2014: https://www.imperialviolet.org/2014/06/27/streamingencryption.html The central flaws for CBC/CFB gadgets to work are (a) missing authenticated encryption in S/MIME and (b) not properly enforced integrity protection in OpenPGP. We won't fix malleable encryption by tinkering with HTML, x509 and MIME parsers. Best, Sebastian _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
