Ah, they've published their paper, but the tl;dr seems to be: Don't use HTML mails. If you receive an encrypted HTML mail, don't load external ressources. It's a nice attack, sure, but not trusting HTML mails in the first place is hardly a novel concept. Details: https://efail.de/ #gpg #pgp