I saw this question about which out of those two protocols is more secure. The question was from 2016, but Efail was discovered late 2017. I understand that some email programs were affected while others were not, plaintext was somehow sneaked into the message but the pgp was in no way threatened by it. Would be interested to know if it were both PGP/MIME and PGP/Inline encrypted mails which were affected by the Efail attacks and if one may then be said to be less vulnerable to such attacks in the future.
1 Answers
Efail is independent of which protocol (Either form of PGP or S/MIME) is used. It's a matter of what the client does with different blocks within the message body once they have been decrypted.
So if you use Inline PGP by cutting and pasting into an external program instead of something integrated into your email client, you are safe. In principle you could also take PGP/MIME or S/MIME encrypted blocks extract them from an email and run them through an external decryption program as well, and that would be safe from EFail as well. It's just not as common a usage as with Inline PGP.
If you are using an email client with built in support for PGP or S/MIME, then it's all about how the client displays messages. If it displays images, loads scripts, etc, and doesn't sandbox blocks within the message from one another, then Efail is a possibility regardless of the encrypted email system used.
Now, a specific client may differ in how it handles messages depending on the encryption protocol so that it's vulnerable or not depending on the protocol, but that's a property of that client, not of the protocol.
- 121
- 3