I have released Enigmail v2.0.5 for Thunderbird version 52 and SeaMonkey 2.46 and newer.
Changes ======= This version prevents against all forms of the "Efail" vulnerability (https://efail.de) and similar attacks. I strongly recommend to upgrade to Enigmail 2.0.5 as soon as possible. Details ======= Efail: protect against any form of the vulnerability ---------------------------------------------------- The approaches of the Thunderbird developers and me so far to prevent against the Efail vulnerability were focused on fixing HTML displaying. However, that's quite difficult -- the developers are working on this for a full week now. And we cannot be sure that it will be impossible to overcome this. I have now followed a completely different strategy, which changes a paradigm in the behavior of Enigmail: up to now, whenever Thunderbird requested Enigmail to decrypt a PGP/MIME message part, Enigmail did what it was told: decrypt that MIME part. The idea was that that's what the user expects. But that's true -- there is only a very small number of message structures that are created by mail clients. Any other message structures are manually made up, potentially to attack a victim. I have therefore changed Enigmail to only decrypt PGP/MIME message parts, if either (1) the message is entirely encrypted, or (2) if the MIME part represents an attached email that itself is fully encrypted. In any other case, Enigmail would no longer decrypt anything, and thus disable any Efail attack. Also, the option "Display Attachments Inline" will no longer work for attached encrypted emails. There are, however, a few glitches as Thunderbird doesn't always give me enough details. For example, in the case of (2), pictures embedded in a HTML message will not be displayed. I will address this issue, but it requires a Thunderbird API change, and thus will be available earliest with Thunderbird 67. Obtaining Enigmail ================== Enigmail can be downloaded from <https://www.enigmail.net/index.php/en/download/> The changelog is available from <https://www.enigmail.net/index.php/en/download/changelog> Additional Remarks ================== The new version is still waiting for approval on https://addons.mozilla.org; you should receive it automatically via the addons-update once the approval is made. -Patrick
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
