4.1 based on 177 user reviews
Register
Efail vulnerability document reveals some OpenPGP vulnerabilities: why Mailfence is not affected
There are two attacks that are of concern to security researchers. However, in order to execute them, the attacker must:
Accessing encrypted emails, e.g. by list of bulgaria whatsapp phone numbers compromising email accounts, email servers, backup systems or spying on network traffic.
Send or forward intercepted/modified emails to their destination.
1. “Direct exfiltration” attack
This type of attack takes advantage of the fact that modern email programs display HTML to the user. In this case, the attacker simply composes the new email message (based on the previous/captured one), starting with plain text with an <img> or <style> tag around the captured ciphertext, and then sends it to the recipient. When the recipient's email client displays the entire decrypted message, including the captured ciphertext (in clear text form), active content for externally loaded images or styles would be exfiltrated from the plain text, via the requested URLs, to a remote server.
Why are Mailfence not affected by “direct exfiltration” attacks?
When receiving encrypted emails (PGP messages with ASCII shielding), or emails with embedded encrypted content (a mix of plain text and encrypted content), Mailfence never attempts to decrypt them on the fly or automatically. This is because it requires the user's private passphrase, which only the user knows.
