[MlMt] PSA - PGP / GPG issue !
Benny Kjær Nielsen
mailinglist at freron.com
Mon May 14 08:36:58 EDT 2018
On 14 May 2018, at 13:28, Nicholas Vahalik wrote:
> I think they are talking about this: https://efail.de
>> Not directly a MM issue
It is definitely also related to MailMate and MailMate 1.10 (February
10th) is listed in the tables of the paper.
>> but I think it should be pointed out to everybody here using GPG (I
>> certainly do):
Ok, this is a tricky email to write. I'd like to write that you are safe
using MailMate, but I might have missed something and then I would look
really stupid. MailMate is a one-man business and there are never any
guarantees. I make mistakes and the best I can tell you is that I'll
work to fix those mistakes when an issue is reported.
And this is exactly what happened when the `efail` project contacted me.
The first issue was reported on February 10th and the following week or
so several other issues were reported. Most of them I fixed quickly and
I released test releases including these fixes. I couldn't exactly write
what I had done in the release notes because of the non-disclosure
nature of such reports, but all of my fixes were included in the public
release of version 1.11. (March 12th).
The worst type of exploit was a technique which allowed a
man-in-the-middle attacker to take any encrypted email and then send an
email to the author of this email which would effectively decrypt the
email and send the result to a server, for example, using an `<img src>`
HTML reference. Other issues reported were less serious, for example,
various techniques to work around image blocking if the attacker just
wanted to know when (and to some extent where) you read an email. This
could, for example, be done using so-called S/MIME intermediate
certificates or by using a special fake DNS server and so-called DNS
As a general stop-gap solution for similar types of problems I've also
changed MailMate to always block external references when dealing with
encrypted content in emails. This is, most of the time, not a problem
since such emails are relatively rare.
I've fixed all of the above, but if someone finds out that I missed
something then *please* let me know.
This is just me ranting a bit: Given the above, I'm a bit disappointed
by the way these issues are now reported. I released a (I presume) fixed
version of MailMate more than 2 months ago, but all I can find now with
regard to the `efail` project is references to MailMate 1.10. There's
not even a list online of the status of the email clients involved. In
this regard, I preferred how the mailsploit issues were reported
although in that case I did not receive any prior warning. I also liked
that they provided an easy way for users to generate emails which could
test their email clients. That said, I'm *very* glad that I did get
prior notice of these `efail` issues since some of them were pretty hard
* `efail` affected both OpenPGP and S/MIME. In MailMate, the S/MIME had
more issues than OpenPGP.
* It doesn't help much to configure your email client to only generate
plain text emails. This is not the problem. If you want to be extra safe
then you can use “Prefer Plain Text” in the Composer preferences
pane and the
hidden preference. But if my fixes work as expected then you shouldn't
need to do so.
* I'm not a security expert and some of the `efail` issues are very
smart and something I would never have considered to be a problem. It is
quite possible that other issues exist which no-one have thought of yet.
I hope this clears it up a bit. (I haven't read the paper or the
homepage in detail yet and I might have missed something.)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the mailmate