On 14/05/18 12:23, Robert J. Hansen wrote: > It's worth noting, incidentally, the #Efail attack flat-out requires > MIME. So inline PGP messages are not vulnerable, as there's no MIME > parsing pass which can be exploited. So you're *still* safe
I wouldn't be that confident. I haven't tested PGP/MIME yet simply because it's harder to construct the test message. The important point is that we can't rely on gnupg's message integrity check to prevent automatic decryption - so there's no good reason to believe that PGP mail is any less vulnerable than S/MIME. Note to anyone coming fresh to the conversation: disabling the display of HTML email is *probably* a sufficient mitigation in either case. -- Andrew Gallagher
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
