Vulnerable clients
Uwe Brauer
oub at mat.ucm.es
Wed May 16 10:48:52 CEST 2018
Sorry for this possible double posting. I am usually using gmane, but I
don't see my mail appearing so I resend it to the list, to which I
subscribed now.
> On Tue, 15 May 2018 03:31, jerry at seibercom.net said:
> My conclusion is that S/MIME is vulnerable in most clients with the
> exception of The Bat!, Kmail, Claws, Mutt and Horde IMP. I take the
> requirement for a user consent as non-vulnerable. Most of the
> non-vulnerable clients use GnuPG as their engine.
Well what's about GNU emacs(+gnus/vm/rmail)? I asked in the emacs dev
list and the default is to block external HTML images.
This client(s) is not mentioned, I presume the authors consider it as
being too *hackerish*, but it would be worthwhile to find out that with
the blocking I mentioned, GNU emacs is in fact not vulnerable.
> For OpenPGP I see lots of no and only a few vulnerable clients: Support
> for Outlook 2007 has long been dropped and Gpg4win/GpgOL gives a big
> warning when you try to use it with OL2007. All other Outlook versions
> are not vulnerable. The case for Thunderbird/Enigmail is not that clear
> because the researcher confirmed that Enigmail 2.0 is in general not
> vulnerable; we don't know which version of Enigmail was tested. I don't
> know Postbox, Apple mailers or Horde IMP.
I presume the same is true for gnupg+ GNU emacs(+gnus/vm/rmail).
BTW: RMS asked on the emacs devel list whether, and I quote,
,----
| If you allow a mail user agent to render HTML for you, you expose
| yourself to various kinds of surveillance and swindles. Now, it seems,
| one of those might be a decryption exploit.
|
| Does the exploit depend on Javascript code that the MUI will execute?
`----
Any comments?
Thanks
Uwe Brauer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5025 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180516/0d36526b/attachment.bin>
More information about the Gnupg-users
mailing list