Re: [Trisquel-users] email client - exploits - which repo programs are safe?
Thank you for your response. I attached three files from the https://efail.de/ site. It shows that both Thunderbird (isn't that icedove?) and Enigmail were vulnerable on more than one vector as late as early 2018. I don't know if that information is reliable, just notable.
Re: [Trisquel-users] email client - exploits - which repo programs are safe?
Whoops, I meant to say that GpgME enabled clients are not vulnerable to SigSpoof. I mixed that up.
Re: [Trisquel-users] email client - exploits - which repo programs are safe?
The GnuPG package in Trisquel 8 does not seem to be vulnerable to maliciously crafted embedded filenames anymore (which is the vulnerability that enabled SigSpoof, as far as I remember). At least when I tested it, the embedded filename got sanitized correctly. I also checked Enigmail, and the version that currently comes with Trisquel 8 appears to be built in October of 2018, which is some time after the discovery of EFail, so I'd assume that it has been patched as well, and I haven't heard of any additional vulnerabilities since then. To be extra safe however, you can disable the loading of external media such as images (which should be the default with icedove), or, as chaosmonk suggested, you can disable HTML mails entirely by going into the menu and selecting: view -> message body -> plain text Most other GnuPG-enabled mail clients in Trisquel use GpgME, as far as I know, so they should not be vulnerable to EFail at all, but I did not test any of them.
Re: [Trisquel-users] email client - exploits - which repo programs are safe?
I found this page https://efail.de/ which has a list near the bottom of the page under section heading "Responsible Disclosure". It does date back at 05/2018. So is it solved or just ignored?
Re: [Trisquel-users] email client - exploits - which repo programs are safe?
I read a bit about it on eff. Here is one link to a discussion https://www.eff.org/deeplinks/2018/05/pgp-and-efail-frequently-asked-questions#html. (am I allowed to do that?) Disabling HTML was one of the steps toward protecting against the attacks. There was mention of PGP and EFAIL. I saw something about some email clients and companioned encryption software being patched and there is a chart out there (I am still looking for it again) with greens and some ominous colors for the 'dangerous' software. But, it is unclear to me where if an email client or encryption software is greened as patched on some chart and assuming it is correct in its assertions, how would I know if the versions in the trisquel repos have received the patches?
Re: [Trisquel-users] email client - exploits - which repo programs are safe?
> Interest in learning more about encryption keys and utilizing encryption for email messages and other forms of contact lead me to view discussions regarding fairly recently revealed exploits attacking encrypted messages tricking email clients to expose and even transmit decrypted portions of what was meant to be hidden. If you're talking about what I'm thinking of, disabling HTML mail (allow plain text only) should be enough to prevent this kind of exploit.
