This is likely bad enough operators need to pay attention.
@seecurity tweeted:
"We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4"
I have no particular insight into what it is other than presuming from thread that decryption can be tricked to do bad things.
They recommend temporary disabling downthread:
"There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: eff.org/deeplinks/2018…#efail 2/4"
That's enough right there. HTML markup in email is used exclusively
by three kinds of people: (1) ignorant newbies who don't know any
better (2) ineducable morons who refuse to learn (3) spammers.
There are no exceptions.
I used to be a resolute user of plain text-only email. It was good
enough for me.
And then I realised how absurdly old fashioned this appeared to my
clients. I'd send them emails explaining what I was going to do or about
the new product or service, and it just looked boring and backward. I
realised that I could no longer stick to plain text: It was actually
harming my business.
The world has moved on and rich content everywhere is now a must. It's
no longer optional (although of course it depends on with whom one
communicates).
Yes, you can blame this on "ignorant newbies who don't know any better"
but bear in mind that they are now the vast majority of users. They are
the ones ultimately paying the bills and we have to adapt to their
preferences, and not them to us.
P.S. And I agree with Suresh in the previous message. It is true that
there is a real problem here (more with S/MIME than PGP/GPG in practice)
but it's being hyped up and overblown. The content does not fully
support the headlines.
Ah, if it only were those. But the infestation has spread; nearly
every corporate communication these days is polluted by HTML, with
a very high percentage of that containing no content other than
hyperlinks that say, in one form or another, "click on this link
to read your message."
Banks especially.
I imagine some fool told them this improves security, and they were
stupid enough to believe it.
- Brian
It's a bit simpler than that. Too many people are dazzled by polished
presentations. It's a sad fact of life that there are way too many
people walking around that are distracted by shiny things.
That's enough right there. HTML markup in email is used exclusively
by three kinds of people: (1) ignorant newbies who don't know any
better (2) ineducable morons who refuse to learn (3) spammers.
There are no exceptions.
---rsk
Ah, if it only were those. But the infestation has spread; nearly
every corporate communication these days is polluted by HTML, with
a very high percentage of that containing no content other than
hyperlinks that say, in one form or another, "click on this link
to read your message."
Yes, there are exceptions. Particularly, chemists (and chemical engineers) and physicists who need to embed formulas into their e-mail. They use HTML because it's fast and easy, instead of using the preferred method of building a PDF and sending that.
(I had a long, unfruitful argument with my brother the chem engineer at the time my mail server rejected all incoming HTML mail. I had to change.)
Another exception is that most webmail is HTML and plaintext in MIME format.
I get around the problem of triggering code in Thunderbird by only using the plain text view, dropping to "simplified HTML" view only when necessary, and only when I know the sender.
For years, I was very disciplined about using plain-text only for my outbound messages... but then I got frustrated with seeing email I had posted (to lists like this) - come back with horribly bad line wrapping - that made for very choppy readability. (This may have been better or worse depending on which software or device I was reading it on?)
Then, when I switched to using my Thunderbird client's "plain and html" setting, that problem went away, and posts that I made didn't look like someone high on drugs typed them.
Which category best describes my wonderful, intelligent (but decidedly non-technical), 84-year-old mother-in-law, who has been using email for a couple of decades (thus certainly not a "newbie"), and is definitely not a spammer. Do you have any advice for how I break it to her that she's an ineducable moron? You know, since there are no exceptions and all.