Enigmail is fixed since version 2.0. but there are still open vulnerabilities in Thunderbird. My recommendation is to switch viewing messages in plain text, and then you're safe. Menu View > Message Body as > Plain text.
Last edit: Patrick Brunschwig 2018-05-14
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
tl;dr -- don't panic, and especially don't overreact. There are two
different attacks outlined in the Efail paper. One targets OpenPGP
directly, and GnuPG has had mitigations against it for almost twenty
years. (Literally. Almost twenty years. No, I am not kidding.)
The other one targets buggy MIME parsing by email clients. Enigmail
previously had some susceptibility to it, but as of Enigmail 2.0 we've
closed up all the leaks on our side of things. There is still a small
bit of attack surface in Thunderbird. The code to fix that has been
checked into Thunderbird and will be part of the next Thunderbird release.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
What's the status about the Efail gap?
Should Enigmail actually be disabled and discouraged?
Is there a chance for a bug fix - and what's the timeline?
Thanks!
Enigmail is fixed since version 2.0. but there are still open vulnerabilities in Thunderbird. My recommendation is to switch viewing messages in plain text, and then you're safe. Menu
View>Message Body as>Plain text.Last edit: Patrick Brunschwig 2018-05-14
tl;dr -- don't panic, and especially don't overreact. There are two
different attacks outlined in the Efail paper. One targets OpenPGP
directly, and GnuPG has had mitigations against it for almost twenty
years. (Literally. Almost twenty years. No, I am not kidding.)
The other one targets buggy MIME parsing by email clients. Enigmail
previously had some susceptibility to it, but as of Enigmail 2.0 we've
closed up all the leaks on our side of things. There is still a small
bit of attack surface in Thunderbird. The code to fix that has been
checked into Thunderbird and will be part of the next Thunderbird release.