efail is imho only a html rendering bug

Sebastian Schinzel schinzel at fh-muenster.de
Wed Jun 6 17:11:54 CEST 2018

Am 06.06.2018 um 10:04 schrieb Werner Koch:
> On Mon, 21 May 2018 19:11, rjh at sixdemonbag.org said:
>> Efail is not just an HTML rendering bug.  It includes very real
>> attacks against S/MIME as it's used by thousands of corporations.
> I have not yet seen any hints on how a back-channel within the S/MIME
> protocol can work.  There are claims that this can be done with CRLs and
> OCSP but that all requires substantial implementaion bugs in the S/MIME
> engines.  The paper presents only vague ideas.  Did I miss something?

A backchannel in a technology is not a vulnerability per se. At its
core, the Efail CBC/CFB gadget attack modifies a ciphertext in a way
that it *exfiltrates its own plaintext* when opened. The paper shows
that this is practical for HTML email clients.

The generic concept of the CBC/CFB gadget attack, however, is neither
limited to HTML, nor to emails. It is plausible to transform the attack
to other data formats supporting backchannels. It's up to the creativity
of the attacker to come up with other scenarios. Adam Langley touched
another scenario already in 2014:

The central flaws for CBC/CFB gadgets to work are (a) missing
authenticated encryption in S/MIME and (b) not properly enforced
integrity protection in OpenPGP. We won't fix malleable encryption by
tinkering with HTML, x509 and MIME parsers.


More information about the Gnupg-users mailing list