Enigmail is using GPG, which probably uses OpenSSL, so i think it's also
vulnerable to this issue?
Not in any meaningful way.
GnuPG uses libcurl to do things like access remote URLs. libcurl
depends on OpenSSL. So yes, it's possible that a man-in-the-middle
could eavesdrop/alter an SSL connection to the keyserver you're
using... but to what purpose? Public keys are just that, public:
they're safe to transmit even without SSL.
Some people prefer to use SSL whenever possible as part of an "encrypt
everything" policy. However, just because you encrypt everything
doesn't necessarily mean that everything is equally susceptible
if/when encryption fails.
If/when this becomes something of general concern to GnuPG, Werner
will issue a security bulletin. No such bulletin has been released.
Relax and don't worry. :)
_______________________________________________
enigmail-users mailing list
[email protected]
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
