The topic of that paper is that HTML is used as a back channel to create
an oracle for modified encrypted mails. It is long known that HTML
mails and in particular external links like <img href="tla.org/TAG"/>
are evil if the MUA actually honors them (which many meanwhile seem to
do again; see all these newsletters). Due to broken MIME parsers a
bunch of MUAs seem to concatenate decrypted HTML mime parts which makes
it easy to plant such HTML snippets.
There are two ways to mitigate this attack
- Don't use HTML mails. Or if you really need to read them use a
proper MIME parser and disallow any access to external links.
- Use authenticated encryption.