Hello,
today a new threat againts encrypted e-mail (PGP and S/MIME) is in the news:
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
From what i understand the basic problem is that it is possible to
inject special data in already encrypted e-mail, which than will be
reported back after decryption with HTML URLs to the attacker and can
be used to derive the key used for encryption.
So i guess one would need the following conditions to be true for the
attack to succeed
- The MUA access external URLs to load content in HTML e-mail (automatically)
- The e-mail will be decode despite the altered content (not vaild
signed at least)
- Probably many e-mails are needed to get the oracle attack to work?
So for Ciphermail there should be no direct problem because it does
not "read" the e-mail or obey URLs in the e-mail? But the question
remains if there is a possibilty to prevent the "vulnerable" clients
againts attack e-mail passing Ciphermail by not decrypting them or
something like that?
Maybe i'm totaly wrong, but thanks for any feedback on this
Regards
Andreas
_______________________________________________
Users mailing list
Users@lists.djigzo.com
https://lists.djigzo.com/lists/listinfo/users