Boing Boing Staging

Efail: instructions for using PGP again as safely as is possible for now

EFAIL attack against Apple Mail and GPG Tools, with remote content loading disabled


It’s been nearly three weeks since the publication of Efail, a critical set of attacks against PGP/GPG-encrypted emails that was so hard to mitigate that EFF’s recommendation was to stop using it for mail altogether until a solution could be worked out.


Efail is still a serious risk, but progress has been made. EFF has published some guidance on how to assess if using GPG/PGP now will protect you or make you more vulnerable, and how to use encrypted email in a way that protects you as much as possible from Efail attacks.

Thunderbird and Enigmail’s developers have been working on ways to protect against the EFAIL vulnerabilities. As of version 2.0.6 (released Sunday May 27), Enigmail has released patches that defend against all known exploits described in the EFAIL paper, along with some new ones in the same class that other researchers were able to devise, which beat earlier Enigmail fixes. Each new fix made it a little harder for an attackerto get through Enigmail’s defenses. We feel confident that, if you update to this version of Enigmail (and keep updating!), Thunderbird users can turn their PGP back on.

But, while Enigmail now defends against most known attacks even with HTML on, the EFAIL vulnerability demonstrated just how dangerous HTML in email is for security. Thus, we recommend that Enigmail users also turn off HTML by going to View > Message Body As > Plain Text.


How To Turn PGP Back On As Safely As Possible
[Erica Portnoy and Danny O’Brien/EFF Deeplinks]

Exit mobile version