This isn’t just about active content. It’s about the fact that active content can be subtly and comprehensively inserted into encrypted emails using very sophisticated cryptographic techniques, AND that content can be made to exfiltrate other encrypted portions of the data.
-
That seems on the EFF. But I saw some threads from 5/14 re: Enigmail saying that some modes were still vulnerable. So I’m a bit skeptical about this.
No, mostly it's on the researchers, who seemed to be completely lost as to what was being mitigated when and where, and who were entirely responsible for feeding the info to the EFF as far as I can tell (and on the EFF for buying it).
-
-
The "vulnerable modes" in Enigmail (until the update a few days ago) are simply old pre-MDC ciphers where you cannot enforce the integrity requirement. The newer Enigmail just errors out on those entirely now (thus refusing to decrypt old messages altogether AFAICT).
-
Note that that still requires the leak in Thunderbird, which has been fixed in the current version as of some time ago (and you can mitigate it on prior versions with a simple pref change).
End of conversation
New conversation -
-
-
You’re talking about a disclosure where the Enigmail and GnuPG devs said (incorrectly) that they’d never been notified of the vuln — on disclosure day — and you’re saying the EFF should have a better picture than the devs themselves.pic.twitter.com/CErUpmWXKj
-
EFF’s big crime is advising users to temporarily disable PGP plugins for a few hours until the details were known. Blame them for that if you want but it’s a huge stretch to blame the researchers.pic.twitter.com/k2SOZVRoRr
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.