A Solution for Sending Messages Safely from EFAIL-safe Senders to EFAIL-unsafe Receivers

Mirimir mirimir at riseup.net
Tue May 29 21:22:33 CEST 2018

On 05/28/2018 12:15 AM, Werner Koch wrote:
> On Thu, 24 May 2018 00:05, gnupg-users at spodhuis.org said:
>> up at <https://github.com/autocrypt/memoryhole>.
> Given that I see more and more mails with "Encrypted mail" as subject,
> this feature is getting more and more annoying.  It will eventually not
> anymore possible to pre-sort mails as it is commonly done either mental
> of by tools.  Well, some MUAs might be able to auto-decrypt whole
> folders but that opens a more severe security problem (e.g. Tempest
> oracle) than having a plaintext subject.

That is problematic for me, because I choose to store messages
encrypted. My correspondents and I do use generic subject, but it's not
uncommon to have long, branching threads. So it's very difficult to find
old stuff. No search, without mass decryption. Maybe Enigmail needs a
search extension ;)

> We can't enforce technical security without proper OPSEC.  Regarding the
> Subject, Reference, etc, it is way easy and more secure to educate the
> user about the fact that only the content is _end-to-end_ encrypted and
> other parts, like the Subject, are required to be plaintext for proper
> routing and mail handling.

I've started playing with HeaderToolsLite in Thunderbird. One can redact
many headers without affecting delivery, as I recall. But it's tedious.
Maybe I ought to go back to terminal clients.

> Regarding the subject there is a simple and also fun solution: If you
> need to hide the subject, use a nonsense phrase instead.  Such a phrase
> makes mental pre-sorting as effecitive as an on-topic subject.

Or perhaps ~25 character ~random strings. That way, I could easily keep
notes about threads that I care about. That wouldn't be in Thunderbird,
and the VM host is LUKS encrypted. Or I could use tomb.

> Shalom-Salam,
>    Werner
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

More information about the Gnupg-users mailing list