Fix EFAIL

Originally created by @segfault on #15602 (Redmine)

This is about http://efail.de, a vulnerability in multiple email clients, including Thunderbird + Enigmail, which allows exfiltrating plaintext of GPG encrypted emails.

What we know so far:

The enigmail version we ship (1.9.9) seems to be affected, and there don’t seem to be any security patches to the Debian package after the 1.9.9 release.

According to this, Thunderbird doesn’t have patches released yet

We could be saved by Torbirdy, because, according to the EFAIL website, “the most prominent way of attacking EFAIL” uses HTML, and Torbirdy completely disables HTML.

Team: sajolida

Feature Branch: feature/15091-thunderbird-60

Attachments

remote content.png

Related issues

Related to #15657 (closed)
Related to #15486 (closed)
Related to #15661 (closed)
Related to #15692 (closed)
Related to #15658 (closed)
Blocked by #15607 (closed)
Blocks tails/accounting#15334
Blocked by #15091 (closed)

Edited May 21, 2020 by segfault

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information