NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: security clarification, efail-attack-paper.pdf





On Tue, May 15, 2018 at 3:53 AM, Matt Sporleder <msporleder%gmail.com@localhost> wrote:


> On May 15, 2018, at 12:55 AM, Dave Huang <khym%azeotrope.org@localhost> wrote:
>
>> On 5/14/2018 18:59, George Georgalis wrote:
>> What exactly is the threat? All I can put together is an attacker can encrypt a malicious html email which, when rendered, makes http requests. Not always a good thing, but no different than if a victim renders non-encrypted html email anyway. Is that correct?
>
> My understanding is that if an attacker can pose as a man-in-the-middle for your email, they can modify an encrypted email so that when you receive it, it'll send the decrypted email to the attacker.
>
> --
>

This was my understanding of the most obvious attack as well.

Another one might be to email someone an encrypted file you ready have to get it decrypted for you (passwords.txt.pgp found in your company git repo or something)


Well, we certainly wouldn't want that decrypted as part of an HTTP GET request! Thanks for your comment.

-George

 
--
George Georgalis, (415) 894-2710, http://www.galis.org/


Home | Main Index | Thread Index | Old Index