Breaking MIME concatenation

Mirimir mirimir at riseup.net
Fri May 18 02:09:41 CEST 2018


On 05/16/2018 08:59 PM, Werner Koch wrote:
> On Thu, 17 May 2018 01:39, mirimir at riseup.net said:
> 
>> However, I get that many users expect HTML, embedded images and links.
> 
> Well they expect a bit of markup like *bold* or _underlined_ or
> /italics/ and links like https://gnupg.org but any decent MUA already
> supports this for plain text mails.  Proper GUI based MUAs also support
> inline images (which are part of MIME); I used such MUAs already in in
> the mid 90ies.
> 
> I doubt that mail is the right thing to employ fancy CSS stuff, though.

I usually just look at text. But this has moved me to look at source for
some commercial messages. They're basically sending websites. Insane.

>> So the best solution would be a tweak to GnuPG that breaks HTML and
>> embedded remote content. That would protect against Efail, no matter how
> 
> gpg will nver touch the payload.  If MUAs want to sanitize HTML, I won't
> have a problem with that.

Upon reflection, I get that. So yes, in MUAs.

But however implemented, the lesson here is that HTML and executable
code in messages aren't compatible with gpg security.

> Shalom-Salam,
> 
>    Werner
> 



More information about the Gnupg-users mailing list