Menu

Enigmail won't batch decode and save multiple attachments

ralphldcm
2020-09-20
2020-09-23
  • ralphldcm

    ralphldcm - 2020-09-20

    I need to be able to send multiple encrypted attachments in email to Thunderbird (Enigmail). Can Enigmail automatically decode these attachmeents??? If not, can I batch decode and save these attachments??? I tried a Select All (ctrl-a), right-clicked, and selected Decode and Save, but only one attachment was saved. It is a pain to select and "Decode and Save" 20 separate attachment files. I am new to Enigmail and encrypted email in general, so any help is much appreciated.

     
  • Patrick Brunschwig

    No it can't do that. But this is inline-PGP, which is considered legacy.

    I'd recommend you use PGP/MIME for sending the mail (i.e. a single encrypted mail with all attachments being part of the encrypted content).

     
    • ralphldcm

      ralphldcm - 2020-09-22



      <meta content="text/html; charset=windows-1252" http-equiv="Content-Type">


      Patrick

      Thank you very much for responding.  I really appreciate it.  Now
      another question.  I have been discussing email encryption on Ubuntu
      Forums and somebody sent me this web site: 
      https://efail.de/#what-is .  It describes a possible attack on
      encrypted email called Efail,and says the Thunderbird/Enigmail is
      vulnerable to it. 



      1. Is it true that Enigmail is vulnerable to the Efail attack???

      2. Does using PGP/MIME prevent this attack??

      3.  Does the fact that Enigmail does not automatically decrypt
      attachments protect attachments against this attack???

      4. Is there a fix planned to prevent the Efail attack???



      Thank you very much for your time.

      Ralph



      On 9/20/20 12:52 AM, Patrick Brunschwig
      wrote:



      <meta content="text/html; charset=windows-1252" http-equiv="content-type">

      No it can't do that. But this is inline-PGP, which is
      considered legacy.


      I'd recommend you use PGP/MIME for sending the mail (i.e. a
      single encrypted mail with all attachments being part of the
      encrypted content).




      Enigmail won't batch decode and save
      multiple attachments




      Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/enigmail/forum/support/


      To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/





      <link href="https://sourceforge.net/p/enigmail/forum/support/" itemprop="url">
      <meta content="View" itemprop="name">

      <meta content="View" itemprop="description">





       
      • Rob

        Rob - 2020-09-23
        1. Is it true that Enigmail is vulnerable to the Efail attack???

        At one point an older version of Enigmail was, in fact, vulnerable.
        Once the attack was discovered Patrick patched it very quickly. Recent
        versions of Enigmail are not susceptible to Efail.

        1. Does using PGP/MIME prevent this attack??

        For older versions of Enigmail, PGP/MIME actually facilitates it.

        3.  Does the fact that Enigmail does not automatically decrypt
        attachments protect attachments against this attack???

        Not particularly. It's possible to imagine situations where it would,
        but why would an attacker craft an email message like that?

        1. Is there a fix planned to prevent the Efail attack???

        It's already been done.

        As an FYI, many people (myself included) thought the Efail attack was
        overhyped and oversold. The GnuPG developers put out a press release
        that's, IMO, worth reading. (On the other hand, I would say that:
        although I'm not a core developer, I drafted the press release for them
        and once they approved it sent it out.)

        =====

        An Official Statement on New Claimed Vulnerabilities
        == ======== ========= == === ======= ===============
        by the GnuPG and Gpg4Win teams

        (This statement is only about the susceptibility of OpenPGP, GnuPG, and
        Gpg4Win. It does not cover S/MIME.)

        Recently some security researchers published a paper named "Efail:
        Breaking S/MIME and OpenPGP Encryption using Exfiltration Channels".
        The EFF has gone so far as to recommend immediately uninstalling
        Enigmail. We have three things to say, and then we're going to show you
        why we're right.

        1. This paper is misnamed.

        2. This attack targets buggy email clients.

        3. The authors made a list of buggy email clients.

        In 1999 we realized OpenPGP's symmetric cipher mode (a variant of cipher
        feedback) had a weakness: in some cases an attacker could modify text.
        As Werner Koch, the founder of GnuPG, put it: "[Phil Zimmermann] and Jon
        Callas asked me to attend the AES conference in Rome to discuss problems
        with the CFB mode which were on the horizon. That discussion was in
        March 1999 and PGP and GnuPG implemented a first version [of our
        countermeasure]
        about a month later. According to GnuPG's NEWS file,
        [our countermeasure] went live in Summer 2000."

        The countermeasure Werner mentions is called a Modification Detection
        Code, or MDC. It's been a standard part of GnuPG for almost eighteen
        years. For almost all that time, any message which does not have an MDC
        attached has caused GnuPG to throw up big, clear, and obvious warning
        messages. They look something like this:

        gpg: encrypted with 256-bit ECDH key, ID 7F3B7ED4319BCCA8, created
        

        2017-01-01
        "Werner Koch <wk gnupg.org="" at="">"
        [GNUPG:] BEGIN_DECRYPTION
        [GNUPG:] DECRYPTION_INFO 0 7
        [GNUPG:] PLAINTEXT 62 1526109594
        [GNUPG:] PLAINTEXT_LENGTH 69
        There is more to life than increasing its speed.
        -- Mahatma Gandhi
        gpg: WARNING: message was not integrity protected
        [GNUPG:] DECRYPTION_FAILED
        [GNUPG:] END_DECRYPTION</wk>

        GnuPG also throws large warning messages if an MDC indicates a message
        has been modified. In both cases, if your email client respects this
        warning and does the right thing -- namely, not showing you the email --
        then you are completely protected from the Efail attack, as it's just a
        modern spin on something we started defending against almost twenty
        years ago.

        If you're worried about the Efail attack, upgrade to the latest version
        of GnuPG and check with your email plugin vendor to see if they handle
        MDC errors correctly. Most do.

        You might be vulnerable if you're running an ancient version of GnuPG
        (the 1.0 series; the current is 2.2), or if your email plugin doesn't
        handle GnuPG's warning correctly. You might also have had some exposure
        in the past if back then you used a pre-2000 version of GnuPG, and/or an
        email plugin which didn't handle the warning correctly.

        We made three statements about the Efail attack at the beginning. We're
        going to repeat them here and give a little explanation. Now that we've
        explained the situation, we're confident you'll concur in our judgment.

        1. This paper is misnamed. It's not an attack on OpenPGP. It's an
          attack on broken email clients that ignore GnuPG's warnings and do silly
          things after being warned.

        2. This attack targets buggy email clients. Correct use of the MDC
          completely prevents this attack. GnuPG has had MDC support since the
          summer of 2000.

        3. The authors made a list of buggy email clients. It's worth looking
          over their list of email clients (found at the very end) to see if yours
          is vulnerable. But be careful, because it may not be accurate -- for
          example, Mailpile says they're not vulnerable, but the paper indicates
          Mailpile has some susceptibility.

        The authors have done the community a good service by cataloguing buggy
        email email clients. We're grateful to them for that. We do wish,
        though, this thing had been handled with a little less hype. A whole
        lot of people got scared, and over very little.

         

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.