curl / Mailing Lists / curl-library / Single Mail


Re: curl and PGP/GPG

From: Patrick Monnerat <>
Date: Sat, 26 May 2018 13:10:49 +0200

On 05/26/2018 11:18 AM, Aleksandar Lazic wrote:
>> Note also that mail encryption is currently NOT secure
>> (CVE-2017-17688):
> Please be more precise!
> The encryption is still secure.
> The attack works because of *not good* gpg/smime implementation in the
> mail clients.
Yes: my statement was in "short form", with a link for details.
The problem is actually not encryption, but MUAs not respecting the mime
structure of received composite mails at some level.
Thunderbird/Enigmail, which is mentioned by Alain, fixes it in 52.8
( which
is very young (May 18, 2018) thus not likely to be installed on most

> The bottom line for me is, don't use HTML emails!
> Plaintext mails are still secure, IMHO.

No they aren't: the HTML leading and trailing parts are supposed to be
forged by a MITM before reaching the recipient's MUA, therefore out of
sender's or recipient's control.

In any case, this is out of curl scope: I wrote this note just to bring
Alain's attention on it.
Received on 2018-05-26