On 05/26/2018 11:18 AM, Aleksandar Lazic wrote:
>
>> Note also that mail encryption is currently NOT secure
>> (CVE-2017-17688): https://efail.de/
>
> Please be more precise!
> https://efail.de/#mitigations
>
> The encryption is still secure.
> The attack works because of *not good* gpg/smime implementation in the
> mail clients.
>
Yes: my statement was in "short form", with a link for details.
The problem is actually not encryption, but MUAs not respecting the mime
structure of received composite mails at some level.
Thunderbird/Enigmail, which is mentioned by Alain, fixes it in 52.8
(https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/) which
is very young (May 18, 2018) thus not likely to be installed on most
workstations.

> The bottom line for me is, don't use HTML emails!
> Plaintext mails are still secure, IMHO.

No they aren't: the HTML leading and trailing parts are supposed to be
forged by a MITM before reaching the recipient's MUA, therefore out of
sender's or recipient's control.

In any case, this is out of curl scope: I wrote this note just to bring
Alain's attention on it.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-05-26