efail is imho only a html rendering bug
Werner Koch
wk at gnupg.org
Wed Jun 6 10:04:59 CEST 2018
On Mon, 21 May 2018 19:11, rjh at sixdemonbag.org said:
> Efail is not just an HTML rendering bug. It includes very real
> attacks against S/MIME as it's used by thousands of corporations.
I have not yet seen any hints on how a back-channel within the S/MIME
protocol can work. There are claims that this can be done with CRLs and
OCSP but that all requires substantial implementaion bugs in the S/MIME
engines. The paper presents only vague ideas. Did I miss something?
Note that when talking about S/MIME I actually mean the CMS/X.509 part
and not the MIME part of it. For sure the same MIME parser bugs a few
OpenPGP MUAs showed will also work with S/MIME - and even easier due to
the missing intgerity protection at the crypto level.
Shalom-Salam,
Werner
--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180606/1c6d30cc/attachment.sig>
More information about the Gnupg-users
mailing list