[MlMt] PSA - PGP / GPG issue !
nick at nickvahalik.com
Mon May 14 08:42:37 EDT 2018
Benny, you are a gem. We appreciate you very much.
Sent from my iPhone
> On May 14, 2018, at 7:36 AM, Benny Kjær Nielsen <mailinglist at freron.com> wrote:
> On 14 May 2018, at 13:28, Nicholas Vahalik wrote:
> I think they are talking about this: https://efail.de
> Not directly a MM issue
> It is definitely also related to MailMate and MailMate 1.10 (February 10th) is listed in the tables of the paper.
> but I think it should be pointed out to everybody here using GPG (I certainly do):
> Ok, this is a tricky email to write. I'd like to write that you are safe using MailMate, but I might have missed something and then I would look really stupid. MailMate is a one-man business and there are never any guarantees. I make mistakes and the best I can tell you is that I'll work to fix those mistakes when an issue is reported.
> And this is exactly what happened when the efail project contacted me. The first issue was reported on February 10th and the following week or so several other issues were reported. Most of them I fixed quickly and I released test releases including these fixes. I couldn't exactly write what I had done in the release notes because of the non-disclosure nature of such reports, but all of my fixes were included in the public release of version 1.11. (March 12th).
> The worst type of exploit was a technique which allowed a man-in-the-middle attacker to take any encrypted email and then send an email to the author of this email which would effectively decrypt the email and send the result to a server, for example, using an <img src> HTML reference. Other issues reported were less serious, for example, various techniques to work around image blocking if the attacker just wanted to know when (and to some extent where) you read an email. This could, for example, be done using so-called S/MIME intermediate certificates or by using a special fake DNS server and so-called DNS prefetching.
> As a general stop-gap solution for similar types of problems I've also changed MailMate to always block external references when dealing with encrypted content in emails. This is, most of the time, not a problem since such emails are relatively rare.
> I've fixed all of the above, but if someone finds out that I missed something then please let me know.
> This is just me ranting a bit: Given the above, I'm a bit disappointed by the way these issues are now reported. I released a (I presume) fixed version of MailMate more than 2 months ago, but all I can find now with regard to the efail project is references to MailMate 1.10. There's not even a list online of the status of the email clients involved. In this regard, I preferred how the mailsploit issues were reported although in that case I did not receive any prior warning. I also liked that they provided an easy way for users to generate emails which could test their email clients. That said, I'm very glad that I did get prior notice of these efail issues since some of them were pretty hard to fix.
> Other notes:
> efail affected both OpenPGP and S/MIME. In MailMate, the S/MIME had more issues than OpenPGP.
> It doesn't help much to configure your email client to only generate plain text emails. This is not the problem. If you want to be extra safe then you can use “Prefer Plain Text” in the Composer preferences pane and the MmNeverDisplayHTML hidden preference. But if my fixes work as expected then you shouldn't need to do so.
> I'm not a security expert and some of the efail issues are very smart and something I would never have considered to be a problem. It is quite possible that other issues exist which no-one have thought of yet.
> I hope this clears it up a bit. (I haven't read the paper or the homepage in detail yet and I might have missed something.)
> mailmate mailing list
> mailmate at lists.freron.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the mailmate