6

The published examples for exploiting the EFAIL email encryption vulnerability all appear to use HTML to create a backchannel for exfiltrating decrypted data.

However, the homepage of EFAIL, https://efail.de/ , claims:

Short term: Disable HTML rendering. [...]

Note that there are other possible backchannels in email clients which are not related to HTML but these are more difficult to exploit.

As far as I can see, all the published examples rely on loading of remote content (i.e. things linked from an HTML mail, such as images or CSS).

So:

  • Why is it recommended to completely disable HTML rendering? Would it not be enough to disable loading of remote content (which is the default in most modern mail programs anyway)?
  • What other backchannels are there which are "not related to HTML"? Did the authors elaborate on this somewhere?
sleske
  • 1,622
  • 12
  • 22

1 Answers1

4

At first I would recommend to not only read the homepage of the vulnerability but the actual paper since it has far more details. Your questions are both answered when reading the paper.

Why is it recommended to completely disable HTML rendering? Would it not be enough to disable loading of remote content (which is the default in most modern mail programs anyway)?

Since the setting to disable remote content (if it exist at all) often does not actually disable all remote content. To take just one example from the paper (page 20,21) the following will cause a request to a remote URL in Thunderbird even though loading of remote content was disabled:

<link href="http://efail.de" rel="preconnect">

What other backchannels are there which are "not related to HTML"? Did the authors elaborate on this somewhere?

Yes, the authors clearly elaborated about this. At page 20 and 21 of the paper the authors list the behavior of lots of different mail clients regarding possible backchannels. And while most of the backchannels require HTML some can be caused by normal mail headers. For example according to the paper Apple Mail can be used for a backchannel like this:

Remote-Attachment-Url: http://efail.de
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 3
    Thanks, and I feel appropriately humbled. I did scan the paper, but did not read it in full. Serves me right. Of course, then again, if people always read the docs, most questions on StackoverFlow woud not exist, and this site would never have gotten off the ground, so I'm not alone with that problem :-). – sleske May 25 '18 at 20:30