Hacker News new | past | comments | ask | show | jobs | submit login

Hey! S/MIME is broken (see eFAIL) and I don’t believe there exist any mitigation’s to the attacks that have been published.

tl;dr: there exist ways to read your emails without knowing the private keys.






eFAIL documents a series of client implementation errors in a 2018 paper that allow attackers to exfiltrate plaintext by emailing you your own encrypted messages with an attacker payload.

Diary site implementations will need to carefully evaluate whether this is relevant to them or to their users, who may well have been fine emailing plaintext to begin with (if you want an encrypted diary, you probably aren’t going to use email to write in it), before they assume that it’s a concern and begin testing email clients.


IIRC this is true for PGP but not for S/MIME which was broken at the protocol level.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: