To anybody who used my #Gmail, #Gnus and #GPG Guide: Something seems to have surfaced regarding PGP And GPG, so maybe switch to some other technology such as Signal for the moment.
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
https://github.com/kensanata/ggg#gmail-gnus-gpg-guide-gggg
@kensanata As far as I understood, the attack works as follows:
1) Alice sends Bob an encrypted message, I intercept it but cannot read it.
2) I craft a new email to Bob and include the crypted text as an MIME attachment.
3) Bob decrypts the complete email, through an error in his MIME parser, the decrypted text from Alice becomes part of a larger HTML text.
4) By displaying the HTML mail, the secret message may be exfiltrated as part of an URL.
@Masek Sounds like a short and sweet explanation. I read the statement on the mailing list but didn't understand how that would work.
@kensanata Summary: MIME-Parsers are faulty, we knew that.
This attack is a neat trick to include a message I cannot decipher and send it someone else to decipher it and exfiltrate it back through a image URL or similar.
MUAs that call external URLs are a security risk. This was already known. This is just creatively using the problem to decipher a secret message.
