> Efail-1 was what Werner is talking about here.  It was a pretty bad
> blow to S/MIME, but far less so to OpenPGP, since OpenPGP has had 
> countermeasures in place for almost twenty years.  Efail-1's impact
> on OpenPGP was, is, minimal.
I actually spend a lot of time investigating the impact of EFAIL on
S/MIME and it's my opinion that the real impact has been overblown. In
all my experiments, and I can tell you I have done a lot of them, I have
not been able to force a mail client to actually forward the decrypted
content to a remote system.

The CBC attack is serious because modifying encrypted content is not
something you expect from a security point of view. But the real life
impact is not as big as they wanted us to believe (IMHO). I have asked
the EFAIL authors for examples on real life attacks (of the CBC problem
related to S/MIME) but I never got a real answer whether they were able
to use the attack in real life situation.

I think the problem with the paper was that they discusses two separate
issues. The issue with Efail-2 was serious but that was more an mail
client issue.

Kind regards,

Martijn

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to