Hlavní navigace

Názor k článku Chyba EFAIL umožňuje číst zprávy zašifrované pomocí PGP a S/MIME od xxxxx - Jen vypnout "externí obrázky" a podobně nestačí! Většinu...

  • Článek je starý, nové názory již nelze přidávat.
  • 15. 5. 2018 15:38

    xxxxx (neregistrovaný)

    Jen vypnout "externí obrázky" a podobně nestačí! Většinu je opravdu třeba vypnout celé HTML renderování (a případně další, jako JS), je-li to možné.

    Prohrabal jsem se ve zveřejněném PDF a ocituji tady:

    HTML... The most prominent form of HTML content are images. Of the tested 48 email clients, 13 load external images by default. For ten of them, this can be turned off whereas three clients have no option to block remote content. All other clients block external images by default or explicitly ask the user before downloading. We analyzed all HTML elements that could potentially bypass the blocking filter and trigger a backchannel using a comprehensive list of HTML4, HTML5 and non-standard HTML elements that allow including URIs. For each element-attribute combination, links were built using a variety of well-known6 and unofficial7 URI schemes based on the assumption that http:// links may be blacklisted by a mail client while others might be allowed. We added specific link/meta tags in the HTML header. In addition, we tested against the vectors from the Email Privacy Tester8 project and the Cure53 HTTPLeaks9 repository. This extensive list of test-cases allowed us to bypass external content blocking in 22 email clients</storng>

    Cascading Stlye Sheets (CSS)... Most mail clients allow CSS declarations to be included in HTML emails. Based on the CSS2 and CSS3 standards we assembled an extensive list of properties that allow included URIs, like background-image url("http://e­fail.de"). These allowed bypassing remote content blocking on 11 clients.</storng>

    JavaScript... We used well-known Cross Site Scripting test vectors10,11 and placed them in various header fields like Subject: as well as in the mail body. We identified five mail clients which are prone to JavaScript execution, allowing the construction of particularly flexible backchannels.