Future OpenPGP Support in Thunderbird
Martijn Brinkers
martijn.list at gmail.com
Wed Oct 16 10:46:38 CEST 2019
> Efail-1 was what Werner is talking about here. It was a pretty bad
> blow to S/MIME, but far less so to OpenPGP, since OpenPGP has had
> countermeasures in place for almost twenty years. Efail-1's impact
> on OpenPGP was, is, minimal.
I actually spend a lot of time investigating the impact of EFAIL on
S/MIME and it's my opinion that the real impact has been overblown. In
all my experiments, and I can tell you I have done a lot of them, I have
not been able to force a mail client to actually forward the decrypted
content to a remote system.
The CBC attack is serious because modifying encrypted content is not
something you expect from a security point of view. But the real life
impact is not as big as they wanted us to believe (IMHO). I have asked
the EFAIL authors for examples on real life attacks (of the CBC problem
related to S/MIME) but I never got a real answer whether they were able
to use the attack in real life situation.
I think the problem with the paper was that they discusses two separate
issues. The issue with Efail-2 was serious but that was more an mail
client issue.
Kind regards,
Martijn
More information about the Gnupg-users
mailing list