danger of decrypted files without integrity protection

Greg Troxel gdt at lexort.com
Thu May 17 19:43:26 CEST 2018


Bernhard Reiter <bernhard at intevation.de> writes:

> Am Donnerstag 17 Mai 2018 15:05:35 schrieb Greg Troxel:
>> In your example, you asked a browser to render html, which has different
>> norms than rendering incoming (and hence not requested by the user)
>> email.  Even a relatively paranoid browser with uMatrix will render
>> images from different origins.
>
> It is a detail to the questions:
>  * is decrypting an email manually outside of a mailer safe? 
>    -> no - for files that potentially will call home on opening

Decrypting is not the problem.  The problem is evaluating the file
either with a program that interprets it and does unsafe things, or that
is exploitable (e.g. because it is buggy, perhaps because the format is
too complicated).  All of these issues are also present with handling
files that were not recently decrypted.





More information about the Gnupg-devel mailing list