Future OpenPGP Support in Thunderbird

Werner Koch wk at gnupg.org
Wed Oct 16 14:06:29 CEST 2019


On Wed, 16 Oct 2019 10:46, Martijn Brinkers said:

> I actually spend a lot of time investigating the impact of EFAIL on
> S/MIME and it's my opinion that the real impact has been overblown. In
> all my experiments, and I can tell you I have done a lot of them, I have
> not been able to force a mail client to actually forward the decrypted
> content to a remote system.

I recall that you mentioned this in the past and I have not seen any
statement to the contrary.  In fact the whole attack is nearly 20 years
old and even back then it was hard to construct a case where the
non-authenticated encryption could be abused.  When the PGP folks and me
discussed the attack around the year 2000, we knew that and suggested
signed mails as a solid counter-measurement.  The MDC was then
introduced mainly to counter the more or less theoretical attack and to
be on the safe side in case better attacks would be developed.

The media and political coverage (we had working groups and internal
meetings) of the efail paper however required some extra measurements to
take.

> I think the problem with the paper was that they discusses two separate
> issues. The issue with Efail-2 was serious but that was more an mail
> client issue.

I fully agree here.  As usual reports about the MUA failures spread for
months without mentioning that all the major MUAs fixed the bug within a
few days or weeks or even had fixed it at the time the paper was
published.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20191016/e3d8aaac/attachment.sig>


More information about the Gnupg-users mailing list