Efail and Mutt

Discussion:

Efail and Mutt

Vincent Lefevre

2018-05-14 13:33:33 UTC

About Efail <https://efail.de/>, you may be interested in this
discussion:

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html

Mutt is probably safe as not rendering HTML, but this isn't clear...
And piping a decrypted mail to a browser (e.g. if there is no
text/plain part, and an attacker can ensure that) is not safe.

Does it handle the GPG warning in a special way? The display of the
warning only is not sufficient since it can easily remain unnoticed
by the user.

--
Vincent Lefèvre <***@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Kevin J. McCarthy

2018-05-14 17:09:31 UTC

Permalink

Post by Vincent Lefevre
About Efail <https://efail.de/>, you may be interested in this
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
Mutt is probably safe as not rendering HTML, but this isn't clear...

The EFAIL team contacted Mutt in advance of their publication, politely
and well in advance.

At first it seemed we might have an S/MIME issue, but their subsequent
testing found we were (mostly) okay. The only issue was that checking
the certificate chain could notify someone the email had been opened. I
think this can be mitigated by using the "# Section D: Alternatives"
commands in contrib/smime.rc, but that cure may be worse than the
problem.

Post by Vincent Lefevre
And piping a decrypted mail to a browser (e.g. if there is no
text/plain part, and an attacker can ensure that) is not safe.
Does it handle the GPG warning in a special way? The display of the
warning only is not sufficient since it can easily remain unnoticed
by the user.

I added $pgp_decryption_okay in 1.6.0, which (when set to the defaults
in contrib/gpg.rc) checks for "[GNUPG:] DECRYPTION_OKAY" output. If
that's not there, the email is considered unsuccessfully decrypted.

--
Kevin J. McCarthy
GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA

Eike Rathke

2018-05-15 23:26:40 UTC

Permalink

Hi,

Post by Vincent Lefevre
And piping a decrypted mail to a browser (e.g. if there is no
text/plain part, and an attacker can ensure that) is not safe.

There's nothing wrong with a ~/.mailcap entry similar to this:

text/html; /usr/bin/elinks -localhost 1 -no-connect 1 -force-html -dump '%s'; copiousoutput

Eike

--
OpenPGP/GnuPG encrypted mail preferred in all private communication.
GPG key 0x6A6CD5B765632D3A - 2265 D7F3 A7B0 95CC 3918 630B 6A6C D5B7 6563 2D3A
Care about Free Software, support the FSFE https://fsfe.org/support/?erack
Use LibreOffice! https://www.libreoffice.org/