On 05/15/18 16:55, Patrick Brunschwig wrote: > On 15.05.18 21:59, Michael Carbone wrote: >> On 05/14/18 07:31, Patrick Brunschwig wrote: >>> On 14.05.18 08:54, Michael Carbone wrote: >>>> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now >>>> >>>> >>>> >>>> https://www.eff.org/deeplinks/2018/05/disabling-pgp-thunderbird-enigmail >>>> >>>> looking forward to hearing more soon... >>> >>> The recommendation of the EFF is simply wrong. Enigmail contains fixes >>> or workarounds for the described attacks latest since Enigmail version >>> 2.0. >> >> okay thanks for the clarification Patrick. >> >>> There is one attack that affects both Enigmail and Thunderbird with >>> S/MIME, and will be fixed in Thunderbird 52.8 (yet to be released) >> Given that there seems to be one attack that does affect Enigmail, and >> the potential exfiltration pathways listed in the paper, would you >> recommend waiting for these fixes to come out prior to re-enabling >> Enigmail? > > The correct response is to view messages as plain text (menu View > > Message Body as > Plain Text). That bug is actually in Thunderbird an > cannot be fixed in Enigmail. > > Any other attacks can be and _are_ addressed in Enigmail. Therefore > there is no reason to deactivate Enigmail, especially as S/MIME in > Thunderbird is affected by the same issues -- and S/MIME cannot be > deactivated.
Thanks for 2.0.4, with that we are recommending folks re-enable as long as Enigmail is up-to-date (as well as text-only rendering, remote content loading is disabled). Michael -- Michael Carbone Manager of Security Education Digital Security Helpline Access Now | https://www.accessnow.org/help PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
