Efail - Possible Measures?

Patrick Brunschwig patrick at enigmail.net
Sat May 19 18:47:08 CEST 2018

In the light of the Efail vulnerability I am asking myself if it's
really needed to decrypt non-regular types of emails at all. In other
words, should we decrypt a multipart/encrypted MIME part at all if we
detect an irregular MIME structure?

If we would not decrypt irregular MIME structures, there cannot be an
issue with HTML displaying. This would be a good thing, if you're an
addon and you can't change the application you live in. I know that some
mail clients do this already, but all those clients that are affected by
Efail apparently don't.

I would consider the following "regular" MIME structures:

1. top-level MIME part is multipart/encrypted.
2. an attached email (Content-Type = message/rfc822) containing a
multipart/encrypted MIME part as direct child.

Does anyone know of other relevant types of message structures?
Does anyone see a reason why NOT to do that?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180519/f52c7045/attachment.sig>

More information about the Gnupg-users mailing list