Efail or OpenPGP is safer than S/MIME

Andrew Gallagher andrewg at andrewg.com
Mon May 14 13:36:59 CEST 2018

On 14/05/18 12:23, Robert J. Hansen wrote:
> It's worth noting, incidentally, the #Efail attack flat-out requires
> MIME.  So inline PGP messages are not vulnerable, as there's no MIME
> parsing pass which can be exploited.  So you're *still* safe

I wouldn't be that confident. I haven't tested PGP/MIME yet simply
because it's harder to construct the test message. The important point
is that we can't rely on gnupg's message integrity check to prevent
automatic decryption - so there's no good reason to believe that PGP
mail is any less vulnerable than S/MIME.

Note to anyone coming fresh to the conversation: disabling the display
of HTML email is *probably* a sufficient mitigation in either case.

Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180514/fd9e0295/attachment.sig>

More information about the Gnupg-users mailing list