<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/xhtml; charset=utf-8">
</head>
<body>
<div style="font-family:sans-serif"><div style="white-space:normal">
<p dir="auto">On 14 May 2018, at 13:28, Nicholas Vahalik wrote:</p>
</div>
<div style="white-space:normal"><blockquote style="border-left:2px solid #777; color:#777; margin:0 0 5px; padding-left:5px"><p dir="auto">I think they are talking about this: <a href="https://efail.de" style="color:#777">https://efail.de</a><br>
</p>
<blockquote style="border-left:2px solid #777; color:#999; margin:0 0 5px; padding-left:5px; border-left-color:#999"><p dir="auto">Not directly a MM issue</p>
</blockquote></blockquote></div>
<div style="white-space:normal">
<p dir="auto">It is definitely also related to MailMate and MailMate 1.10 (February 10th) is listed in the tables of the paper.</p>
</div>
<div style="white-space:normal"><blockquote style="border-left:2px solid #777; color:#777; margin:0 0 5px; padding-left:5px"><blockquote style="border-left:2px solid #777; color:#999; margin:0 0 5px; padding-left:5px; border-left-color:#999"><p dir="auto">but I think it should be pointed out to everybody here using GPG (I certainly do):<br>
<br>
<a href="https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now" style="color:#999">https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now</a></p>
</blockquote></blockquote></div>
<div style="white-space:normal">
<p dir="auto">Ok, this is a tricky email to write. I'd like to write that you are safe using MailMate, but I might have missed something and then I would look really stupid. MailMate is a one-man business and there are never any guarantees. I make mistakes and the best I can tell you is that I'll work to fix those mistakes when an issue is reported.</p>
<p dir="auto">And this is exactly what happened when the <code style="background-color:#F7F7F7; border-radius:3px; margin:0; padding:0 0.4em" bgcolor="#F7F7F7">efail</code> project contacted me. The first issue was reported on February 10th and the following week or so several other issues were reported. Most of them I fixed quickly and I released test releases including these fixes. I couldn't exactly write what I had done in the release notes because of the non-disclosure nature of such reports, but all of my fixes were included in the public release of version 1.11. (March 12th). </p>
<p dir="auto">The worst type of exploit was a technique which allowed a man-in-the-middle attacker to take any encrypted email and then send an email to the author of this email which would effectively decrypt the email and send the result to a server, for example, using an <code style="background-color:#F7F7F7; border-radius:3px; margin:0; padding:0 0.4em" bgcolor="#F7F7F7"><img src></code> HTML reference. Other issues reported were less serious, for example, various techniques to work around image blocking if the attacker just wanted to know when (and to some extent where) you read an email. This could, for example, be done using so-called S/MIME intermediate certificates or by using a special fake DNS server and so-called DNS prefetching.</p>
<p dir="auto">As a general stop-gap solution for similar types of problems I've also changed MailMate to always block external references when dealing with encrypted content in emails. This is, most of the time, not a problem since such emails are relatively rare.</p>
<p dir="auto">I've fixed all of the above, but if someone finds out that I missed something then <em>please</em> let me know.</p>
<p dir="auto">This is just me ranting a bit: Given the above, I'm a bit disappointed by the way these issues are now reported. I released a (I presume) fixed version of MailMate more than 2 months ago, but all I can find now with regard to the <code style="background-color:#F7F7F7; border-radius:3px; margin:0; padding:0 0.4em" bgcolor="#F7F7F7">efail</code> project is references to MailMate 1.10. There's not even a list online of the status of the email clients involved. In this regard, I preferred how the mailsploit issues were reported although in that case I did not receive any prior warning. I also liked that they provided an easy way for users to generate emails which could test their email clients. That said, I'm <em>very</em> glad that I did get prior notice of these <code style="background-color:#F7F7F7; border-radius:3px; margin:0; padding:0 0.4em" bgcolor="#F7F7F7">efail</code> issues since some of them were pretty hard to fix.</p>
<p dir="auto">Other notes:</p>
<ul>
<li><code style="background-color:#F7F7F7; border-radius:3px; margin:0; padding:0 0.4em" bgcolor="#F7F7F7">efail</code> affected both OpenPGP and S/MIME. In MailMate, the S/MIME had more issues than OpenPGP.</li>
<li>It doesn't help much to configure your email client to only generate plain text emails. This is not the problem. If you want to be extra safe then you can use “Prefer Plain Text” in the Composer preferences pane and the <a href="https://manual.mailmate-app.com/hidden_preferences#visual-appearance" style="color:#3983C4"><code style="background-color:#F7F7F7; border-radius:3px; margin:0; padding:0 0.4em" bgcolor="#F7F7F7">MmNeverDisplayHTML</code></a> hidden preference. But if my fixes work as expected then you shouldn't need to do so.</li>
<li>I'm not a security expert and some of the <code style="background-color:#F7F7F7; border-radius:3px; margin:0; padding:0 0.4em" bgcolor="#F7F7F7">efail</code> issues are very smart and something I would never have considered to be a problem. It is quite possible that other issues exist which no-one have thought of yet.</li>
</ul>
<p dir="auto">I hope this clears it up a bit. (I haven't read the paper or the homepage in detail yet and I might have missed something.)</p>
<p dir="auto">-- <br>
Benny<br>
<a href="https://freron.com/become_a_mailmate_patron/" style="color:#3983C4">https://freron.com/become_a_mailmate_patron/</a></p>
</div>
</div>
</body>
</html>