Breaking MIME concatenation

Mirimir mirimir at
Fri May 18 02:09:41 CEST 2018

On 05/16/2018 08:59 PM, Werner Koch wrote:
> On Thu, 17 May 2018 01:39, mirimir at said:
>> However, I get that many users expect HTML, embedded images and links.
> Well they expect a bit of markup like *bold* or _underlined_ or
> /italics/ and links like but any decent MUA already
> supports this for plain text mails.  Proper GUI based MUAs also support
> inline images (which are part of MIME); I used such MUAs already in in
> the mid 90ies.
> I doubt that mail is the right thing to employ fancy CSS stuff, though.

I usually just look at text. But this has moved me to look at source for
some commercial messages. They're basically sending websites. Insane.

>> So the best solution would be a tweak to GnuPG that breaks HTML and
>> embedded remote content. That would protect against Efail, no matter how
> gpg will nver touch the payload.  If MUAs want to sanitize HTML, I won't
> have a problem with that.

Upon reflection, I get that. So yes, in MUAs.

But however implemented, the lesson here is that HTML and executable
code in messages aren't compatible with gpg security.

> Shalom-Salam,
>    Werner

More information about the Gnupg-users mailing list