Am 15. May, 2018 schwätzte Herminio Hernandez, Jr. so: moin moin, > Any thought on this response from the GnuPG > https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html Here's a timeline of GnuPG's interaction with the Efail group starting in November. https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060320.html The EFF is pointing out that while your client might be safe, your message might not due to the other person's mail client. ---- While you may not be directly affected, the other participants in your encrypted conversations are likely to be. For this attack, it isn’t important whether the sender or the receiver of the original secret message is targeted. This is because a PGP message is encrypted to both of their keys. ---- https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0 Not sure how the EFF has data to suggest that most people who actively use OpenPGP to encrypt messages are also using susceptible clients with bad configurations... The suggestion of using offline decryption tools for PGP doesn't fix that problem any more than getting people to use safe email clients with safe configurations. I will agree that many people will want insecure convenience features. Let's use the list from mailpile. https://www.mailpile.is/blog/2018-05-14_PGP_Security_Alert.html 1. Mailpile does not display HTML content by default 2. Before displaying HTML, Mailpile cleans up malformed and incomplete tags. 3. When displaying HTML, Mailpile does not load remote content by default. 4. Mailpile respects the GnuPG error messages which warn of invalid data. 5. Mailpile never sends auto-replies to incoming mail. I predict most people aren't going to stop using HTML email. If they were really serious about security they would already be avoiding HTML email. Mail clients should be doing 2, 4 and 5. Those greatly reduce the danger of 1. 3 should be the default, but some people likely want remote content to just work. There should definitely be a configuration option to do forbid loading remote content without user interaction. Can there be a configuration option to disable HTML and remote content loading for OpenPGP encrypted emails? Additionally, email clients should not allow JavaScript. ciao, der.hans > On Mon, May 14, 2018 at 9:21 PM, Matthew Crews > wrote: > >> Never been a fan of HTML emails anyway. Its too bad that most websites >> that have email communications insist on emailing you with HTML. >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> > -- # https://www.LuftHans.com https://www.PhxLinux.org # "It is a miracle that curiosity survives formal education." # -- Albert Einstein