<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, May 14, 2018 at 12:12 PM, Ray Dillinger <span dir="ltr"><<a href="mailto:bear@sonic.net" target="_blank">bear@sonic.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-"><br>
<br>
On 05/14/2018 10:55 AM, Erik wrote:<br>
> I've been following this, and one thing I'm confused about is what it<br>
> means by "automatic".<br>
> <br>
> For instance, most people type in a password to decrypt an e-mail, and<br>
> the rest of the e-mails are then decrypted when you click on them. Is<br>
> this "Automatic"?<br>
> <br>
> Do I really have to disable enigmail, or do I have to simply not decrypt<br>
> any messages until more information is released?<br>
<br>
</span>Speculation currently is that there is some information leakage<br>
to an HTTP server when an HTML webpage is rendered from a URL<br>
given in an encrypted email.<br>
<br>
This is speculation, not certainty.</blockquote><div> </div><div>Thunderbird just downloaded an update .. Hmmm not completely fixed. <br>   <a href="https://efail.de/">https://efail.de/</a> <-- this seems authoritative.</div><div>The attack is remote in part... <span style="color:rgb(120,120,120);font-family:Times;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:justify;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">The emails could even have been collected years ago.<br><br></span></div><div>On the SourceForge for enigmail </div><div> </div><div>    Patric Brunschwig -- 6 hours ago</div><div><div class="gmail-display_post" style="box-sizing:inherit;margin:0px 5px 0px 0px;padding:5px;border:0px;outline:0px;font-size:14px;vertical-align:baseline;background:rgb(255,255,255);color:rgb(85,85,85);font-family:Lato,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div class="gmail-markdown_content" style="box-sizing:inherit;margin:0px;padding:0px;border:0px;outline:0px;font-size:14px;vertical-align:baseline;background:transparent"><p style="box-sizing:inherit;margin:0px;padding:0px 10px 1em;border:0px;outline:0px;font-size:14px;vertical-align:baseline;background:transparent;word-wrap:break-word">Today, information about the<span> </span><a class="gmail-" href="https://efail.de/" rel="nofollow" style="box-sizing:inherit;margin:0px;padding:0px;font-size:14px;vertical-align:baseline;background:transparent;outline:none;color:rgb(0,153,204);text-decoration:none">Efail</a><span> </span>vulerability was released. This weakness was adressed in Enigmail 2.0, released in March 2018. Unfortunately, this vulnerability does not only cover Enigmail, but also Thunderbird. Thunderbird is not yet completely fixed today; the developers are still working on fixing the vulnerabiliy on their side.</p><p style="box-sizing:inherit;margin:0px;padding:0px 10px 1em;border:0px;outline:0px;font-size:14px;vertical-align:baseline;background:transparent;word-wrap:break-word">I therefore recommend that you install the latest versions of Thunderbird and Enigmail (currently 52.7 and 2.0.3 respectively), and disable viewing HTML mails in Thunderbird via menu<span> </span><code style="box-sizing:inherit;font-size:14px;margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:monospace,sans-serif">View</code><span> </span>><span> </span><code style="box-sizing:inherit;font-size:14px;margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:monospace,sans-serif">Message Body as</code><span> </span>><span> </span><code style="box-sizing:inherit;font-size:14px;margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:monospace,sans-serif">Plain Text</code>. This will prevent you from any form of the the vulnerability described. Furthermore, once Thunderbird 52.8 will be released, I recommend to upgrade as soon as possible.</p><h2 id="gmail-details" style="box-sizing:inherit;margin:0px;padding:0px 10px 0.5em;border:0px;outline:0px;font-size:25.2px;vertical-align:baseline;background:transparent;font-weight:700;font-family:Lato,sans-serif;line-height:36px">Details</h2><p style="box-sizing:inherit;margin:0px;padding:0px 10px 1em;border:0px;outline:0px;font-size:14px;vertical-align:baseline;background:transparent;word-wrap:break-word">Ther eare two<span> </span>different attacks outlined in the Efail paper. One targets OpenPGP<br style="box-sizing:inherit">directly, and GnuPG has had mitigations against it for almost twenty<br style="box-sizing:inherit">years. Reports saying that GnuPG is vulnerable are wrong.</p><p style="box-sizing:inherit;margin:0px;padding:0px 10px 1em;border:0px;outline:0px;font-size:14px;vertical-align:baseline;background:transparent;word-wrap:break-word">The other one targets buggy MIME parsing by email clients. Enigmail<br style="box-sizing:inherit">previously had some susceptibility to it, but as of Enigmail 2.0 we've<br style="box-sizing:inherit">closed up all the leaks on our side of things. There is still a small<br style="box-sizing:inherit">bit of attack surface in Thunderbird. The code to fix that has been<br style="box-sizing:inherit">checked into Thunderbird and will be part of the next Thunderbird release.</p></div></div></div></div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">  T o m    M i t c h e l l</div></div>
</div></div>