The Electronic Freedom Foundation released a statement recently telling users of OpenPGP based products that they should disable or uninstall the plugin in their email client. One of the affected products was Engimail plugin for Thunderbird, which is what I use. Now mind you, I do not use encrypted email at all, I do maintain a key, but I have never used it for anything other than a few test emails with friends. I do however think it is important have a plan in place, you just never know when such a thing might become useful.
To sum up the vulnerability, basically if an attacker intercepts one of you encrypted emails, they can insert a couple of lines of HTML and send it back to you, when your email client automatically decrypts the message, the HTML code then sends the clear text message back to the attacker. This is actually kind of clever. The problem is it depends of the my client to be configured in a very specific way. If for instance you have a very aggressive junk mail filter, chances are you will never see the email. Also, if you have remote content disabled, this would deny the attacker the ability to run arbitrary javascripts or load anything else remotely. Finally, if you disable HTML and only allow plain text, your email client will strip out anything that is not the plain text message, and even if the HTML is still there, it is rendered as plain text. Any one of these settings is likely to stop this form of attack in its tracks.
While this is kind of a big deal, it is also very easy to protect yourself against. I do not think it is particularly necessary to disable the plug in or uninstall it, unless you are either very paranoid, or know for a fact someone is attacking you. The moral of this story is, please be careful out there, but don't panic, it is probably not as bad as you think.
Edit:
The Mozilla Foundations update on this issue:
https://blog.mozilla.org/thunderbird/2018/05/efail-and-thunderbird/
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.