Date: Tue, 15 May 2018 10:22:46 +0200 From: Yves-Alexis Perez <corsac@...ian.org> To: Brian May <brian@...uxpenguins.xyz>, oss-security@...ts.openwall.com Subject: Re: PGP/MIME and S/MIME mail clients vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, 2018-05-15 at 17:40 +1000, Brian May wrote: > Have a look at some official statements on this: > > * https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html > * https://protonmail.com/blog/pgp-vulnerability-efail/ > > For the case of PGP it sounds like the only problems occur when mail > clients ignore the GPG hints. Thanks for the links (I had already included the information in my summary though). > > For S/MIME, it does sound like the standard is broken and needs fixing. That was my understanding as well, thus the mitigations. > > If I understand this correctly, the "Direct Exfiltration" is an attack > that doesn't require modifying the encrypted data - so presumably the > MDC in PGP won't help. Yes indeed. > To me this sounds like a email client problem > (allowing mixing encrypted and encrypted data in the one HTML document > seems like a very bad idea), but the https://efail.de/ page says the > standards need to be updated to fix this. Maybe the fixing the standard will help, but indeed the client can already sanitize the various chunks of message and not render them as part of one HTML document. As far as I can tell only Thunderbird was vulnerable to this (in open-source software), but I can't find a CVE number or a public bug for this. Regards, - -- Yves-Alexis -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlr6mNYACgkQ3rYcyPpX RFtn4ggAtq1Ex6jbj0XbMxQt2j9l4/p1OFSoemqJEEXse2E6cgB/UMd4LPBpzeW0 kS1I6glL4j3ODpUrcBKFkWTqUMXwYATayzBGX08HWti5vj+CRtqd+QtpMziymhiC UzB77gsDi3IBssANPDVrW1YmF/pN5FUvrmBx6F+yEXOd0dQkKwQrbnvgQVskVGBP TisoHpMDvEAZGToNlHh/HokonliCnnN7vQRp4ZiardcWsFY5oBnmHcvZKYaW1R9G PG65KWRDSxiU9hB6UGoZNAgM8vlBjZzEk6kgSm8XC5vam2Co/Egg0JQenK0C8YyP ATG6D5cEDa31XswrNeZLVr5VF035JQ== =dZri -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ