On 15.05.18 17:53, Lukas Pitschl | GPGTools wrote: > >> Am 15.05.2018 um 17:44 schrieb Patrick Brunschwig <patr...@enigmail.net>: >> >> I already tried a while ago to trick the Thunderbird HTML rendering >> engine with tricks like this... They don't work. The rendering engine >> ignores the </html> tag (and also tags like </body>). >> >> I think the correct solution must be to treat each MIME part >> independently, i.e. it needs to be parsed independently by the HTML >> engine and produce its own DOM tree. At the end, you can concatenate >> these DOM trees and create a single correct HTML document. > > I have also already tried to implement a similar fix for Apple Mail a few > days ago, > using <!--" <!-- --> which did work, but is probably a too naive attempt > to mitigate against these XSS-kind of attacks. > > So I absolutely concur with Patricks statement, that the Mime Parsers have > to be adjusted to treat every text/html part as single DOM tree or even use > different > web document instances to represent the message.
I have actually thought through this during a sleepless night, and I believe that it could work as a quick and easy to implement *short term* measure until the mail clients have fixed the HTML rendering. If we embed the complete result that we get from gpg into the following wrapper, then we should be able to mitigate at least any known form of the attack when it comes to calling a remote URL during message reading: Content-Type: mutlipart/mixed; boundary="WRAPPER" Content-Description: Efail protection wrapper --WRAPPER Content-Type: text/html <!-- > <PRE style="visibility: visible; display: block; font: fixed; font-size: 10px;"> --> <!-- '> <PRE style="visibility: visible; display: block; font: fixed; font-size: 10px;"> --> <!-- "> <PRE style="visibility: visible; display: block; font: fixed; font-size: 10px;"> --> --WRAPPER (result of PGP/MIME decryption) --WRAPPER-- Does anyone see a major hole in this that I may have overseen? If not, then I think I'll implement this in Enigmail until Thunderbird has fixed this properly. -Patrick
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
