[tptacek]

S/MIME manages the feat of being even less secure than PGP-encrypted email, which was, again, a low bar to trip over.

[Avamander]

Please elaborate.

[wolf550e]

I think efail showed S/MIME was even more susceptible.

[Avamander]

That vulnerability has been largely mitigated, hasn't it? I'm really curious how GPG is more secure than S/MIME right now.

[wolf550e]

"8.2 Countering malleability gadget attacks" in the efail paper says: "The S/MIME standard does not provide any effective security measures countering our attacks" and "Although CMS defines an AuthenticatedData type [29], S/MIME’s current specification does not."

If the S/MIME spec does not enforce (and it seems it doesn't even allow, not just does't enforce) Authenticated Encryption, then it violates "the cryptographic doom principle" and should not be used for anything except CTFs and cryptopals exercises.

[Avamander]

The effective measure against their attack is signing and encrypting your e-mail sent with S/MIME? If it's just encrypted then yes, there's malleability issues but if it's signed I don't see it happening.