The enforcement for MDC has been introduced in Enigmail 2.0 for "new"
cipher algorithms (AES in all variants, TWOFISH, CAMELLIA).

In Enigmail 2.0.4 this was extended this to all cipher algorithms.

-Patrick

On 17.05.18 09:17, Wolf wrote:
> Since which Version ist that the case? (As maybe changelog is of little
> help with the secrecy recently)
> 
> Am May 17, 2018 6:35:32 AM UTC schrieb Patrick Brunschwig
> <patr...@enigmail.net>:
> 
>     I fear that that's likely to happen. A measure against the Efail
>     vulnerability was to disable decryption of messages that have no MDC
>     protection.
> 
>     It's fairly possible that old messages (using old algorithms) have no
>     MDC protection - but there is no way out. You'd risk to be attacked
>     _very_ easily otherwise as the Efail paper clearly explains.
> 
>     I strongly suggest that you only read such old mails on the command line
>     - there is no sensible safeguarding possible in Enigmail.
> 
>     -Patrick
> 
>     (CC-ing the Enigmail Mailing list, as I consider this important info for
>     many other users too)
> 
>     On 17.05.18 08:27, Bitcoin Admin wrote:
> 
> 
>         Hello, I can't use 2.0.4, after installation all my old encrypted
>         messages throw up an error (and don't decrypt anymore), the
>         encryption
>         details show , however, that the correct keys were used.
>         How come?
> 
>         Tom
> 
> 
>         On 05/16/2018 04:40 PM, Patrick Brunschwig wrote:
> 
>             I have released Enigmail v2.0.4 for Thunderbird version 52
>             and SeaMonkey
>             2.46 and newer.
> 
> 
>             Changes
>             =======
>             This version implements two workarounds to prevent against
>             "Efail"
>             vulnerabilities (https://efail.de). I strongly recommend to
>             upgrade to
>             Enigmail 2.0.4 as soon as possible.
> 
> 
>             Details
>             =======
> 
>             Efail: fail on GnuPG integrity check warnings for old Algorithms
>             
> ------------------------------------------------------------------------
> 
> 
>             Enigmail now discovers if GnuPG prints a warning message
>             about missing
>             MDC (Modification Detection Code) for old algorithms like
>             CAST5 and
>             treats it like a hard failure. Such a message will no longer be
>             displayed.
> 
>             Efail: protect against remot URL calls in unpatched Thunderbird
>             
> ------------------------------------------------------------------------
> 
>             I implemented a workaround to prevent against leaking
>             decrypted message
>             data to remote URLs. This workaround is meant as temporary
>             measure until
>             Thunderbird has a more robust solution. The workaround protects
>             successfully against the known forms of the vulnerabilities.
> 
>             I still recommend to use the "Simple HTML" view in Thunderbird
>             (accessible via menu View > Message Body as > Simple HTML)
>             to prevent
>             from loading any remote content.
> 
> 
>             Obtaining Enigmail
>             ==================
>             Enigmail can be downloaded from
>             <https://www.enigmail.net/index.php/en/download/>
> 
>             The changelog is available from
>             <https://www.enigmail.net/index.php/en/download/changelog>
> 
> 
>             Additional Remarks
>             ==================
>             The new version is still waiting for approval on
>             https://addons.mozilla.org; you should receive it
>             automatically via the
>             addons-update once the approval is made.
> 
>             -Patrick
> 
> 

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Reply via email to