Vulnerable clients

Werner Koch wk at
Wed May 16 14:42:03 CEST 2018

On Wed, 16 May 2018 10:48, oub at said:

>    > On Tue, 15 May 2018 03:31, jerry at said:
>    > My conclusion is that S/MIME is vulnerable in most clients with the
>    > exception of The Bat!, Kmail, Claws, Mutt and Horde IMP.  I take the
>    > requirement for a user consent as non-vulnerable.  Most of the
>    > non-vulnerable clients use GnuPG as their engine.

[For clarity: the above quote is by me]

> Well what's about GNU emacs(+gnus/vm/rmail)? I asked in the emacs dev
> list and the default is to block external HTML images.

Well Emacs user's dont view HTML mails, right?  At least I don't and use
W H to read html.  That does not load any images etc.

> This client(s) is not mentioned, I presume the authors consider it as
> being too *hackerish*, but it would be worthwhile to find out that with
> the blocking I mentioned, GNU emacs is in fact not vulnerable.

They also don't mention that Outlook plugin which is used by a lot of
people including the ACLU and thus Snowden's lawyer.  What I heard is
that it had sevweral flaws how it handles HTML.  But they tested tools I
never heard about.  BTW, why didn't they test the Volksverschlüsselung.

> BTW: RMS asked on the emacs devel list whether, and I quote,
> ,----
> | If you allow a mail user agent to render HTML for you, you expose
> | yourself to various kinds of surveillance and swindles.  Now, it seems,
> | one of those might be a decryption exploit.
> | 
> | Does the exploit depend on Javascript code that the MUI will execute?

No, it does not depend on Javascript.  Javascript in mails is like given
out accounts to your box for free.



#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list