Efail or OpenPGP is safer than S/MIME

Andrew Gallagher andrewg at andrewg.com
Mon May 14 11:03:48 CEST 2018

On 14/05/18 08:45, Werner Koch wrote:

> The topic of that paper is that HTML is used as a back channel to
> create an oracle for modified encrypted mails.

This confirms that my forensic analysis of the wording of the
announcement was sound. ;-)

The good thing is that oracle attacks are *noisy*, so you'll notice when
it happens.

> There are two ways to mitigate this attack
>  - Don't use HTML mails.  Or if you really need to read them use a
>    proper MIME parser and disallow any access to external links.

Unfortunately HTML mail is commonplace, so never reading an HTML mail
again may be too much to ask.

>  - Use authenticated encryption.

So how do we enforce MDC checking at the receiving end? I assume this is
something that has to be handled by the calling program at the moment. I
see that MDC is the default for all modern ciphers, but does that imply
that MDC *checking* is the default? If so, then all we would need to do
is disable non-modern ciphers.

Looks like S/MIME is pretty much buggered though...

Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180514/bfa203c6/attachment.sig>

More information about the Gnupg-users mailing list