[Cryptography] Critical PGP and S/MIME bugs can reveal encrypted emails— ?uninstall now?
Tom Mitchell
mitch at niftyegg.com
Mon May 14 19:23:06 EDT 2018
On Mon, May 14, 2018 at 12:12 PM, Ray Dillinger <bear at sonic.net> wrote:
>
>
> On 05/14/2018 10:55 AM, Erik wrote:
> > I've been following this, and one thing I'm confused about is what it
> > means by "automatic".
> >
> > For instance, most people type in a password to decrypt an e-mail, and
> > the rest of the e-mails are then decrypted when you click on them. Is
> > this "Automatic"?
> >
> > Do I really have to disable enigmail, or do I have to simply not decrypt
> > any messages until more information is released?
>
> Speculation currently is that there is some information leakage
> to an HTTP server when an HTML webpage is rendered from a URL
> given in an encrypted email.
>
> This is speculation, not certainty.
Thunderbird just downloaded an update .. Hmmm not completely fixed.
https://efail.de/ <-- this seems authoritative.
The attack is remote in part... The emails could even have been collected
years ago.
On the SourceForge for enigmail
Patric Brunschwig -- 6 hours ago
Today, information about the Efail <https://efail.de/> vulerability was
released. This weakness was adressed in Enigmail 2.0, released in March
2018. Unfortunately, this vulnerability does not only cover Enigmail, but
also Thunderbird. Thunderbird is not yet completely fixed today; the
developers are still working on fixing the vulnerabiliy on their side.
I therefore recommend that you install the latest versions of Thunderbird
and Enigmail (currently 52.7 and 2.0.3 respectively), and disable viewing
HTML mails in Thunderbird via menu View > Message Body as > Plain Text.
This will prevent you from any form of the the vulnerability described.
Furthermore, once Thunderbird 52.8 will be released, I recommend to upgrade
as soon as possible.
Details
Ther eare two different attacks outlined in the Efail paper. One targets
OpenPGP
directly, and GnuPG has had mitigations against it for almost twenty
years. Reports saying that GnuPG is vulnerable are wrong.
The other one targets buggy MIME parsing by email clients. Enigmail
previously had some susceptibility to it, but as of Enigmail 2.0 we've
closed up all the leaks on our side of things. There is still a small
bit of attack surface in Thunderbird. The code to fix that has been
checked into Thunderbird and will be part of the next Thunderbird release.
--
T o m M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180514/7565f35c/attachment.html>
More information about the cryptography
mailing list