[horde] PGP vulnerability

lst_hoe02 at kwsoft.de lst_hoe02 at kwsoft.de
Mon May 14 12:21:29 UTC 2018


Zitat von Arjen de Korte <build+horde at de-korte.org>:

> Regarding below warning from the EFF:
>
> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
>
> Based on the limited information available today, I assume this has  
> something to do with a crafted message that somehow discloses the  
> private key to an attacker. Does anybody know if besides the plugins  
> mentioned in this article, other applications (Horde for instance)  
> are affected as well?


Looks like a client problem and not a problem of encryption (PGP,  
S/MIME). The client must be tricked/fooled with special mime structure  
to send back the decrypted contet by URL used to load external  
content. So it is a example why HTML e-mail is evil.

https://www.efail.de/

What are the EFAIL attacks?

The EFAIL attacks break PGP and S/MIME email encryption by coercing  
clients into sending the full plaintext of the emails to the attacker.





More information about the horde mailing list