Before anyone freaks out about "efail", realize that using it would be: 1) extremely easy to detect 2) archived in your target's email As an attacker, I could not care less about this technique. It's intellectually neat, but operationally stupid. https://efail.de/efail-attack-paper.pdf …
-
-
I also don't see any attempt to coordinate with major MTAs (e.g., Google or Microsoft). MTAs could have set up detections for direct exploitation and, likely, reviewed everyone's mailboxes for already delivered mail.pic.twitter.com/26SojYl2xb
Show this thread -
Don't confuse my distaste for the disclosure with advocacy for S/MIME, PGP, or encrypted email. You should: 1) use authenticated cryptography ffs! 2) stop using email and start using Signal if you need privacy
Show this thread
End of conversation
New conversation -
-
-
consisting that there are more possibilities for an attack than just using an image (in case of s/mime even ocsp) such a script would need way too many different (variations of) possibilities and could never cover all of them. May imply false security if used.
-
*considering That said, in the paper at the end, they describe where they did some backtracking to search for these attacks. They e.g. searched spam mails. Generally they found no attacks in the wild in the mails they've searched.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.