[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mutt-users
Subject:    Mutt and EFAIL
From:       "Kevin J. McCarthy" <kevin () 8t8 ! us>
Date:       2018-05-19 23:03:27
Message-ID: 20180519230327.GC17723 () afu ! lan
[Download RAW message or body]


I've received a few questions about EFAIL and whether this release has
any related changes, so I hope you'll forgive me for sending a second
mutt-announce email today.

For those unaware, https://efail.de/ disclosed an attack on OpenPGP and
S/MIME emails this past week.  The researchers reported mutt-1.7.2 was
not successfully attacked.

So, the short answer is no, mutt-1.10.0 has no changes made as a result
of EFAIL, and the pgp/smime configuration variable changes in this
release are unrelated.

I am neither a security researcher nor a cryptographer, but here are my
current takeaways and suggestions:

* If you are using a version of mutt before 1.6.0 and rely on OpenPGP
  encryption, please upgrade.  1.6.0 introduced $pgp_decryption_okay,
  which scans the GnuPGP status output for a successful decryption code.

* Please make sure you update your config to the values suggested
  in contrib/gpg.rc (again, in particular $pgp_decryption_okay).

* Opening a decrypted email in an external browser should be considered
  unsafe.  Part of the attack was due to HTML injection.

* I don't believe autoviewing dumped HTML via lynx, elinks, etc is an
  issue.  However, the researchers did not specifically test that.

-Kevin

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]