[cp-global] #efail explained

Christian Pietsch christian.pietsch at digitalcourage.de
Thu May 17 13:54:50 GMT 2018

Hi Crille,
hi party people,

thank your for bringing this up. My friends from the Cryptoparty group
in Bielefeld, Germany, and I are deeply worried by the conclusions
lots of people draw from this exploit.

It's not surprising that the mass media chose clickbaiting headlines
when covering this topic. It is more surprising that our friends from
the EFF and generally well-regarded IT security experts such as
Matthew Green and Bruce Schneier came up with the rather nonsensical
suggestion to use Signal instead of E-Mail. In a lot of situations,
this is simply no an option. These two technologies cannot replace
each other because Signal is bound to telephone numbers. Moreover,
Signal is a centralised service whereas OpenPGP and E-Mail are open
protocols for decentralised services.

To sum up, brilliant research has been used to discredit decentralised
services and to promote a centralised service (in FISA land) instead.
Let's do all we can to counter this.

Crille wrote:
> === What can we do ? ===
> There's nothing to do if you're using Enigmail 2.0+ as it already
> includes fixes and/or workarounds:
> https://twitter.com/pEpFoundation/status/995993916888502273
> As a general rule disabling HTML helps to lower the chances of things
> going wrong. Here's how to do it in different clients:
> https://twitter.com/botherder/status/995966058371670016

Correct. Yesterday, Enigmail 2.0.4 was released. It implements two
workarounds: https://enigmail.net/index.php/download/changelog .
One of them is just a temporary fix that will be made superfluous by
the new release of Thunderbird which is expected to be released
tomorrow, I believe.

As a Mutt user, I am glad to say that I have never been affected. I do
realize that this is not an e-mail client we can recommend to the
general public. What we could recommend to all Linux users is KMail.
Its PGP integration was never affected, too. But our best bet is still
Thunderbird with Enigmail which should soon be pure joy for crypto
beginners – as soon as the pEp and Autocrypt features that were
integrated in Enigmail 2.0.0 work flawlessly. Until then, please
add bug reports to the issue tracker:


Christian Pietsch | volunteering for Digitalcourage e.V.
https://digitalcourage.de/en · https://bigbrotherawards.de/en
How to avoid Google: https://pad.foebud.org/google-alternatives
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://cryptoparty.is/pipermail/global/attachments/20180517/eb74999e/attachment.sig>

More information about the global mailing list