IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [efail]

EFAIL is a vulnerability in the OpenPGP and S/MIME standards, disclosed in 2018.

6 questions
52
votes
5 answers

What actions should I, as an end user, take in response to EFAIL?

There's a lot of talk about EFAIL: The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded…
Anders
  • 64,406
  • 24
  • 178
  • 215
6
votes
1 answer

What are the EFAIL "backchannels in email clients not related to HTML"?

The published examples for exploiting the EFAIL email encryption vulnerability all appear to use HTML to create a backchannel for exfiltrating decrypted data. However, the homepage of EFAIL, https://efail.de/ , claims: Short term: Disable HTML…
sleske
  • 1,622
  • 12
  • 22
6
votes
1 answer

Is this a simple protection against EFAIL?

The way I understand EFAIL, the attack works because email clients can be coerced into concatenating the decrypted message into text supplied by the attacker to result in an URL. But wouldn't it be a counter-measure to use a suitable preamble with…
Hagen von Eitzen
  • 1,098
  • 8
  • 19
1
vote
1 answer

Were PGP/MIME and PGP/Inline equally affected by EFAIL?

I saw this question about which out of those two protocols is more secure. The question was from 2016, but Efail was discovered late 2017. I understand that some email programs were affected while others were not, plaintext was somehow sneaked into…
cardamom
  • 359
  • 2
  • 9
1
vote
1 answer

Is is safe to use PGP again?

The EFF has issued some instructions enitiled "How To Turn PGP Back On As Safely As Possible". The emphasis there is mine, and that qualifier worries me. Realistically, what risks do I run if I follow their instructions? And will it help me if I…
Mawg says reinstate Monica
  • 1,368
  • 2
  • 13
  • 26
-1
votes
1 answer

Will this method allow EFAIL-safe sending of OpenPGP encrypted messages to otherwise EFAIL-unsafe readers?

The proposed method Brief and simplified description of the attack: Any and every single encrypted block B of the encrypted message can be surrounded by Trojan psuedo-encrypted data to give a multiblock encrypted message ABC. The A and C parts are…
Craig Hicks
  • 425
  • 3
  • 6