[Users] Efail: Claws Mail status

Steffen Klemer moh at gmx.org
Thu May 17 11:31:26 CEST 2018

Am Do, 17.05.2018 um 10:16 schrieb Colin Leroy <colin at colino.net>:

> > The main vector for using the vulnerability is HTML mail, which
> > Claws does not support by default. As far as I could see, there was
> > no specific reference to the HTML plugins; as far as I understand,
> > Claws with an HTML plugin (like Fancy) should get the same score
> > as, e.g. KMail (that is, vulnerability can be abused but requires
> > user interaction to do so).  
> From what I understand, the Efail attack works when the MUA
> concatenates multiple HTML parts for display:
>     https://www.ghacks.net/2018/05/14/openpgp-and-s-mime-vulnerability-efail-discovered/
> Even when using an HTML-rendering plugin like Fancy, Claws Mail only
> displays one HTML part at a time and does not concatenate them.

This is true for the first attack vector.

But with the 2nd attack vector cipher-text of know clear-text can be
changed. This might be noticed because the signature will be wrong but
Claws will display the message nevertheless and only have a 'sig
broken' written underneath it. And also you might have an encrypted but
not signed mail or the attacker simply strips the signature away
(possible in S/MIME-case).

An example for such a tempering is in
page 4 right column. Further down they propose to start with the most
often included "Content-type: multipart/signed" as known clear-text
(Figure 5). But it could be anything. Some companies have always the
same headlines in mails etc. . It would be hard to change something not
at the beginning of the mail because you usually don't know the exact

In the OpenPGP case there is some anti-tempering mechanism called 'MDC'
so a changed cipher-text might be noticed. But because of compatibility
reasons it is quiet difficult to parse the gnupg output correctly and
decide what to do (PGP didn't support it for some time). This is what
Werner Koch referred to here:

A full solution for Claws as I understand it, can really only be to not
send any request to any server mentioned in a mail. (not loading
img, css, js, embed in HTML, not sending URLs to online virus
checkers...). But this should be the case for privacy reasons anyway.
iirc in the past the webkit plugin sometimes requested stuff over the
wire although the user didn't click 'load remote content'. But I can't
remember the details.

> Werner Koch recently posted the following table on the GnuPG list
> (which he got from the original paper, I believe);
> |         | Claws           | no     | no   | no   | no  |

I think this is only true without html-plugin. Otherwise it should be
the same as KMail.


 ()  ascii ribbon campaign - against html e-mail 
 /\                        - against proprietary attachments

More information about the Users mailing list