EFail and Thunderbird, What You Need To Know
Yesterday, researchers and the press shared information describing security vulnerabilities that would enable an attacker to gain access to the plaintext of encrypted Emails. To understand how this happens, the researchers who uncovered EFail provide a good description on their website:
In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.
The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.
How to know if you’re affected
You’re affected only if you:
- Are using S/MIME encryption or PGP encryption (through the Enigmail add-on)
- And the attacker has access to encrypted Emails of yours
How to protect yourself
DO NOT DISABLE ENCRYPTION. We’ve seen recommendations from some outlets to stop using encrypted Email altogether. If you are sending sensitive data via Email, Thunderbird still recommends using encryption to keep those messages safe. You should, however, check the configuration of the applications you use to view encrypted EMail. For Thunderbird, follow our guidelines below to protect yourself.
Until Thunderbird 52.8 and 52.8.1 are released with fixes:
- Keep remote content disabled in Thunderbird (the default) is advisable as it should mitigate the described attack vector.
- Do not use the “allow now” option that pops up when remote content is encountered in your encrypted Emails.
Most of the EFail bugs require a back-channel and require the attacker to send a manipulated Email to you, which contains part of a previously obtained encrypted message. It is also worth noting that clicking content in the Email can also allow for a back-channel (until the fixes are live).
Enigmail version 2.0.3 also shows a warning now, which should help you be aware if you are affected.