Breaking MIME concatenation
mirimir at riseup.net
Fri May 18 02:09:41 CEST 2018
On 05/16/2018 08:59 PM, Werner Koch wrote:
> On Thu, 17 May 2018 01:39, mirimir at riseup.net said:
>> However, I get that many users expect HTML, embedded images and links.
> Well they expect a bit of markup like *bold* or _underlined_ or
> /italics/ and links like https://gnupg.org but any decent MUA already
> supports this for plain text mails. Proper GUI based MUAs also support
> inline images (which are part of MIME); I used such MUAs already in in
> the mid 90ies.
> I doubt that mail is the right thing to employ fancy CSS stuff, though.
I usually just look at text. But this has moved me to look at source for
some commercial messages. They're basically sending websites. Insane.
>> So the best solution would be a tweak to GnuPG that breaks HTML and
>> embedded remote content. That would protect against Efail, no matter how
> gpg will nver touch the payload. If MUAs want to sanitize HTML, I won't
> have a problem with that.
Upon reflection, I get that. So yes, in MUAs.
But however implemented, the lesson here is that HTML and executable
code in messages aren't compatible with gpg security.
More information about the Gnupg-users