[openpgp-email] Efail - Possible Measures?

Vincent Breitmoser look at my.amazin.horse
Sat May 19 19:02:55 CEST 2018


(Also cross-posting to Autocrypt)

Patrick Brunschwig(patrick at enigmail.net)@Sat, May 19, 2018 at 06:47:08PM +0200:
> In the light of the Efail vulnerability I am asking myself if it's
> really needed to decrypt non-regular types of emails at all. In other
> words, should we decrypt a multipart/encrypted MIME part at all if we
> detect an irregular MIME structure?

I used to parse stuff in a generic way in K-9 Mail at first, but changed it
later (mid 2016?) to show decrypted data only in known mime structures.
I planned to add support for other things as they came up, but so far I haven't
received feedback about any incompatibilities.

> 1. top-level MIME part is multipart/encrypted.

This is the only mime structure I handle, any other pgp/mime structure will show
up as an attachment. When displaying a decrypted mail, the decrypted payload is
displayed like a normal message would. PGP/INLINE is handled only if the pgp
data is the very first non-whitespace content, otherwise it won't be decrypted.

If there are mime parts outside the encrypted payload, they are displayed as
"unprotected attachments" that require an extra click to open. For the case of
text/plain parts following the encrypted part, those are shown as "Unsigned
Text" at the bottom and displayed in a text-only widget, nicely covering the use
case of mailing list footers:

https://matrix.org/_matrix/media/v1/download/stratum0.org/cKjeJctipgVjBEXIMvrqLlJL

> 2. an attached email (Content-Type = message/rfc822) containing a
> multipart/encrypted MIME part as direct child.

I don't handle this. Does it come up for you?

 - V

PS: Randomly signing this message.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180519/f162e493/attachment.sig>


More information about the Gnupg-users mailing list