efail is imho only a html rendering bug

Werner Koch wk at gnupg.org
Wed Jun 6 10:04:59 CEST 2018

On Mon, 21 May 2018 19:11, rjh at sixdemonbag.org said:

> Efail is not just an HTML rendering bug.  It includes very real
> attacks against S/MIME as it's used by thousands of corporations.

I have not yet seen any hints on how a back-channel within the S/MIME
protocol can work.  There are claims that this can be done with CRLs and
OCSP but that all requires substantial implementaion bugs in the S/MIME
engines.  The paper presents only vague ideas.  Did I miss something?

Note that when talking about S/MIME I actually mean the CMS/X.509 part
and not the MIME part of it.  For sure the same MIME parser bugs a few
OpenPGP MUAs showed will also work with S/MIME - and even easier due to
the missing intgerity protection at the crypto level.



#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180606/1c6d30cc/attachment.sig>

More information about the Gnupg-users mailing list