email client - exploits - which repo programs are safe?

6 replies [Last post]
mr.r
Offline
Joined: 07/16/2018

Hello,
Interest in learning more about encryption keys and utilizing encryption for email messages and other forms of contact lead me to view discussions regarding fairly recently revealed exploits attacking encrypted messages tricking email clients to expose and even transmit decrypted portions of what was meant to be hidden.

If it is presumed that some progress has been made in countering the known exploits, which email programs and 'companion' encryption software available from the official Trisquel repos are vetted as reasonably safe to use in light of the problems?

It seems that the safety will also be directly affected by any communication partner in that that individual(s) have also taken appropriate/effective precautions to avoid exposure.

Thanks.

(Trisquel 8.0; no email client established; no email client linked encryption software set up; no link to the outside world other than through this browser?)

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> Interest in learning more about encryption keys and utilizing encryption for email messages and other forms of contact lead me to view discussions regarding fairly recently revealed exploits attacking encrypted messages tricking email clients to expose and even transmit decrypted portions of what was meant to be hidden.

If you're talking about what I'm thinking of, disabling HTML mail (allow plain text only) should be enough to prevent this kind of exploit.

mr.r
Offline
Joined: 07/16/2018

I read a bit about it on eff. Here is one link to a discussion https://www.eff.org/deeplinks/2018/05/pgp-and-efail-frequently-asked-questions#html. (am I allowed to do that?) Disabling HTML was one of the steps toward protecting against the attacks.
There was mention of PGP and EFAIL. I saw something about some email clients and companioned encryption software being patched and there is a chart out there (I am still looking for it again) with greens and some ominous colors for the 'dangerous' software.
But, it is unclear to me where if an email client or encryption software is greened as patched on some chart and assuming it is correct in its assertions, how would I know if the versions in the trisquel repos have received the patches?

mr.r
Offline
Joined: 07/16/2018

I found this page https://efail.de/ which has a list near the bottom of the page under section heading "Responsible Disclosure".
It does date back at 05/2018. So is it solved or just ignored?

liberpoolesque
Offline
Joined: 01/07/2020

The GnuPG package in Trisquel 8 does not seem to be vulnerable to maliciously crafted embedded filenames anymore (which is the vulnerability that enabled SigSpoof, as far as I remember). At least when I tested it, the embedded filename got sanitized correctly.
I also checked Enigmail, and the version that currently comes with Trisquel 8 appears to be built in October of 2018, which is some time after the discovery of EFail, so I'd assume that it has been patched as well, and I haven't heard of any additional vulnerabilities since then.
To be extra safe however, you can disable the loading of external media such as images (which should be the default with icedove), or, as chaosmonk suggested, you can disable HTML mails entirely by going into the menu and selecting: view -> message body -> plain text

Most other GnuPG-enabled mail clients in Trisquel use GpgME, as far as I know, so they should not be vulnerable to EFail at all, but I did not test any of them.

liberpoolesque
Offline
Joined: 01/07/2020

Whoops, I meant to say that GpgME enabled clients are not vulnerable to SigSpoof. I mixed that up.

mr.r
Offline
Joined: 07/16/2018

Thank you for your response.
I attached three files from the https://efail.de/ site. It shows that both Thunderbird (isn't that icedove?) and Enigmail were vulnerable on more than one vector as late as early 2018. I don't know if that information is reliable, just notable.

efail-disclosure-pgp.png efail-disclosure-smime.png efail-disclosure-direct.png