Efail or OpenPGP is safer than S/MIME

Andrew Gallagher andrewg at andrewg.com
Thu May 17 13:15:35 CEST 2018

> On 17 May 2018, at 11:50, Patrick Brunschwig <patrick at enigmail.net> wrote:
>> On 17.05.18 10:07, Werner Koch wrote:
>> On Thu, 17 May 2018 08:59, patrick at enigmail.net said:
>>> Within 12 hours after the release I got 5 bug reports/support requests
>> Kudos to Enigmail for acting as our guinea pig.  I implemented the same
>> thing in GPGME this morning (see my mail to enigmail users).
>> What shall we do now?  Provide a separate tool to decrypt and clean HTML
>> messages or add a tool to Enigmail to do just this?
> Good question... Thunderbird is working on fixing the HTML display
> issue. But I think we should really start enforcing users to enable MDC.
> I therefore would prefer keeping the barrier high. In any case, this is
> nothing that I could implement with a week or two.

I agree, while it would be easy for the users to have a magic button in enigmail, this isn’t something we should be encouraging users to use on a regular basis. 

IMO a better solution would be a standalone tool that you could point at a local Maildir and tell it to clean and re-encrypt anything it finds that is bad (for a given value of “bad”), and save it to a new Maildir, perhaps with an attachment explaining what was done. This would of course invalidate any signatures on the re-encrypted data, but that’s OK for the use case. It should not be an in-place update, nor should it work over e.g. IMAP because that would a) encourage people to run it in a cronjob and b) destroy the originals, which may be a deal breaker for archival purposes. 


More information about the Gnupg-users mailing list