Efail or OpenPGP is safer than S/MIME

Andrew Gallagher andrewg at andrewg.com
Tue May 15 11:56:49 CEST 2018

On 15/05/18 08:58, Werner Koch wrote:
> Unless you change the default options of gpg or you encrypt to at least
> one old key there is no problem at all.  I assume that 99.9% of all GPG
> created messages are safe because they use MDC in away which allows the
> receiving GPG to hard fail if the MDC was stripped.

This is a very good point that I think has been overlooked in the chaos.
There are many different things going on here that overlap and interact.

The only emails that are in danger of being leaked *via the MDC issue*
are those that were originally encrypted using one of the obsolete
cipher suites. Anything encrypted with AES should be immune. This is

a) gnupg only falls back to compatibility mode for messages that use
obsolete ciphers, and

b) If you inject an AES cipherstream into a 3DES or CAST5 message (which
is how the CFB gadget trick works), you get garbage.


We should also be very careful to note that none of this discussion
thread applies to the MIME concatenation vulnerability, which is a
problem in Thunderbird and other mail clients, and which cannot be
solved by gnupg.

Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180515/76e0a21f/attachment.sig>

More information about the Gnupg-users mailing list