Vulnerable clients

Uwe Brauer oub at
Wed May 16 10:48:52 CEST 2018

Sorry for this possible double posting. I am usually using gmane, but I
don't see my mail appearing so I resend it to the list, to which I
subscribed now.

   > On Tue, 15 May 2018 03:31, jerry at said:

   > My conclusion is that S/MIME is vulnerable in most clients with the
   > exception of The Bat!, Kmail, Claws, Mutt and Horde IMP.  I take the
   > requirement for a user consent as non-vulnerable.  Most of the
   > non-vulnerable clients use GnuPG as their engine.

Well what's about GNU emacs(+gnus/vm/rmail)? I asked in the emacs dev
list and the default is to block external HTML images.

This client(s) is not mentioned, I presume the authors consider it as
being too *hackerish*, but it would be worthwhile to find out that with
the blocking I mentioned, GNU emacs is in fact not vulnerable.

   > For OpenPGP I see lots of no and only a few vulnerable clients: Support
   > for Outlook 2007 has long been dropped and Gpg4win/GpgOL gives a big
   > warning when you try to use it with OL2007.  All other Outlook versions
   > are not vulnerable.  The case for Thunderbird/Enigmail is not that clear
   > because the researcher confirmed that Enigmail 2.0 is in general not
   > vulnerable; we don't know which version of Enigmail was tested.  I don't
   > know Postbox, Apple mailers or Horde IMP.

I presume the same is true for gnupg+ GNU emacs(+gnus/vm/rmail).

BTW: RMS asked on the emacs devel list whether, and I quote,

| If you allow a mail user agent to render HTML for you, you expose
| yourself to various kinds of surveillance and swindles.  Now, it seems,
| one of those might be a decryption exploit.
| Does the exploit depend on Javascript code that the MUI will execute?

Any comments?


Uwe Brauer 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5025 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list