Show all

Efail and Kopano WebApp

The announcement of the Efail vulnerability has led to a surge of contradicting opinions and statements. After having read the paper and having performed extensive tests against Kopano over the last few days, we can now state the following:

  • To be sure that your sent messages are not tampered with, you should always sign your messages, even when you are already encrypting them.
  • Kopano WebApp is not vulnerable to Direct Exfiltration since on decryption unencrypted parts get cleaned and replaced in the mail viewer.
  • S/MIME ís vulnerable to the shown CBC/CFB gadget attack. This is, unfortunately, something in the design of S/MIME. The only way around this is to only display the plain text part when viewing S/MIME messages.

We do see more chances to reduce the possibility of leaking access information, like disabling the on-demand fetching of intermediate CAs and disabling OSCP verification by default. These changes will be incorporated in future releases of the S/MIME plugin for Kopano WebApp.

If you have any questions about Efail and Kopano, please do not hesitate to contact us via

Felix Bartels
Felix Bartels

Comments are closed.


Kopano newsletter

Please fill in your data to subscribe.

Kopano newsletter

Bitte geben Sie Ihre Daten ein, um sich anzumelden.