You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Oh and of course don't enable autoloading remote content and don't manually override it, since that of course defeats the whole purpose of the back-channel fixes. But if you're using encryption you're already privacy-conscious enough to not do something silly like that, right?
Looks like the DNS prefetch issue was a screwup by the Efail authors. They listed it as a problem in the preprint provided to Enigmail, but the final paper doesn't have it, and as far as I can tell that's been fixed for 8 (!) years. So yeah. Just one leak in old TB (preconnect).
Another important timeline tidbit: GPG has been failing with an error (not a warning) in cases of missing MDC since 2.1.9 (released in 2015). So as long as you have a version newer than that (and the client honors errors) you're fine too, e.g. for most commandline users.
Note that *really old* encrypted messages, using ciphers prior to the introduction of MDC, are still vulnerable (if you have a side channel in the mail client). This is fundamental: those messages are using older crypto without integrity protection. GPG cannot error out on those.
The only real solutions for those, besides mail clients plugging the side channels/app-level issues with those, are to either refuse to decrypt them outright (not great) or have an application-level warning and click through.
So you cannot roll back the integrity protection on a message encrypted with modern gpg (because modern ciphers are tied to a hard MDC requirement), but old legacy messages are stuck back in that era, without the integrity protection.
It seems the plan was already to fully deprecate those old cipher suites with GPG 2.3 (the next major version), thus basically erroring out on decrypting old messages without an override, to plug this particular hole (at the expense of really old emails).
Thank you for this thread. Reduces FUD to a minimum! :)
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
