[Cryptography] Critical PGP and S/MIME bugs can reveal encrypted emails— ?uninstall now?

Patrick Chkoreff pc at fexl.com
Mon May 14 15:49:42 EDT 2018


Erik wrote on 05/14/2018 01:55 PM:
> I've been following this, and one thing I'm confused about is what it
> means by "automatic".
> 
> For instance, most people type in a password to decrypt an e-mail, and
> the rest of the e-mails are then decrypted when you click on them. Is
> this "Automatic"?
> 
> Do I really have to disable enigmail, or do I have to simply not decrypt
> any messages until more information is released?

Based on my quick skim of https://efail.de/, here is my current hypothesis.

~~
HYPOTHESIS:

It does not matter whether the decryption is "automatic" or not --
whatever that may mean.  The problem occurs when your email client loads
embedded images.  I recommend disabling the automatic loading of images.
 That's been my setting for a long time.

If you do that, then you can decrypt an email with no problems.
However, if your browser displays the button to load embedded images, DO
NOT CLICK THAT BUTTON.

If you follow that rule, you are not vulnerable.
~~


WARNING:  That hypothesis could be wrong, but that's how I understand
the problem at the moment.  Do not bet your life or money on it.


-- Patrick


More information about the cryptography mailing list