[Companion-announce] Update On PGP

Soraya Okuda soraya at eff.org
Wed May 30 17:48:00 PDT 2018

Hi good people!

Just wanted to share an update that we feel PGP is back on track to being safe to use in specific contexts, thanks to the hard work of developers across the ecosystem. Details below from my lovely colleagues Danny and Erica.


  The TL;DR (but please read the post for full context): coders and researchers across the PGP email ecosystem have been     
  hard at work addressing the problems highlighted by the paper—and after their sterling efforts, we believe some parts are 
  now safe for use, with sufficient precautions.

  If you use PGP for email using Thunderbird 52.8 and Enigmail 2.0.6, you can update to the latest versions of Enigmail, 
  turn on “View as Plain Text”, re-enable Enigmail, and get back to using PGP in email.

  For other popular clients: the answer is hazier. If you use GPGTools and Apple Mail, you should still wait. That system is 
  still vulnerable…

Hope you all are well, and many thanks for bearing with us on this disclosure rollercoaster,

Learn more about digital security at https://ssd.eff.org/

Want to teach digital security? Check out EFF's Security Education Companion at 

> On May 14, 2018, at 9:55 AM, Soraya Okuda <soraya at eff.org> wrote:
> Hey friends,
> Many of you likely received the email from my colleague, Danny, at 11pm last night. In case you haven't, I wanted to include it below. Please pass it on in your networks—we're worried that folks who need PGP most may be exposed to this vulnerability.
> I've also included a link to our newest blog post that goes into the vulnerability in depth: https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0
> My colleagues and I are hustling on explainers for what to do about E-Fail within the next day. Check our site soon.
> Hope you all are well,
> Soraya
> ---
> https://twitter.com/seecurity/status/995906638556155904
> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now 
> Dear Colleagues,
> A group of European security researchers have released a warning about a
> set of vulnerabilities affecting users of PGP and S/MIME. EFF has been
> in communication with the research team, and can confirm that these
> vulnerabilities pose an immediate risk to those using these tools for
> email communication, including the potential exposure of the contents of
> past messages.
> The full details will be published in a paper on Tuesday at 07:00 AM UTC
> (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term
> risk, we and the researchers have agreed to warn the wider PGP user
> community in advance of its full publication.
> Our advice, which mirrors that of the researchers, is to immediately
> disable and/or uninstall tools that automatically decrypt PGP-encrypted
> email. Until the flaws described in the paper are more widely understood
> and fixed, users should arrange for the use of alternative end-to-end
> secure channels, such as Signal, and temporarily stop sending and
> especially reading PGP-encrypted email.
> Please refer to these guides on how to temporarily disable PGP plug-ins in:
> Thunderbird with Enigmail:
> https://www.eff.org/deeplinks/2018/05/disabling-pgp-thunderbird-enigmail
> Apple Mail with GPGTools:
> https://www.eff.org/deeplinks/2018/05/disabling-pgp-apple-mail-gpgtools
> Outlook with Gpg4win:
> https://www.eff.org/deeplinks/2018/05/disabling-pgp-outlook-gpg4win
> These steps are intended as a temporary, conservative stopgap until the
> immediate risk of the exploit has passed and been mitigated against by
> the wider community.
> We will release more detailed explanation and analysis when more
> information is publicly available.
> Please feel free to forward this message to those who may be affected.
> Thank you,
> Danny O’Brien
> Electronic Frontier Foundation
> -- 
> Learn more about digital security at https://ssd.eff.org/.
> Want to teach digital security? Check out the Security Education Companion at https://sec.eff.org/.
> Check out tools for encrypting the web at https://www.eff.org/encrypt-the-web
> _______________________________________________
> Companion-announce mailing list
> Companion-announce at eff.org
> https://lists.eff.org/mailman/listinfo/companion-announce

More information about the Companion-announce mailing list