Can we also please talk about the need to MITM the encrypted message first before one can launch any #efail attack? Thanks to ubiquitous TLS, this seems to be the much more difficult feat to pull off these days (unless you have considerable resources). The cost of targeting and MITMing a given user is gigantic.
Telling the general public to uninstall GPG extensions is really silly, they should do the opposite. And install updates and disable html, ffs. Everything else is just FUD 😩
@rugk Yes, but getting on the server still requires considerable resources. It does not justify scaring the general public.
The article and many commentators seem to assume that intercepting someones e-mails is as easy as sitting next to your target and running Wireshark for a bit. Or even that you can somehow magically obtain them. That is a thing of the past - MITM is quite difficult nowadays.
@rugk you have a point though when someone is using GPG with Gmail, they have forwarded your mailbox to the NSA and the NSA is indeed interested in you. That would fulfill the MITM condition. Even then you need an outdated Enigmail, your mail software must render html and decrypt stuff automatically for the attack to work. And you would immediately notice it because you receive e-mails more than once. *pondering*
Trojans taking screenshots are a much bigger threat, and they're very real... 💩
mention of possibility of deaths Show more
@bleak true true, I agree that it is a problem for targeted individuals. I was mostly criticising the way it was framed by the authors and handled by the media. In Germany, efail was top news on top websites at some point today, making it appear that everyone is vulnerable because e-mail has been "cracked". This is irresponsible.
@seanl My provider has an optional TLS guarantee and will then absolutely refuse to send e-mails when server-to-server TLS is not possible. Me likey. More information about their TLS config here:
Can't speak for other providers though...