Thunderbird and Efail
phill at hallambaker.com
Wed May 16 14:19:07 UTC 2018
On Tue, May 15, 2018 at 8:59 PM, Ben Bucksch <ben.bucksch at beonex.com> wrote:
> Nomis101 🐝 wrote on 16.05.18 01:31:
> I assume the S/MIME implementation is affected from Efail? Is this a
> serious issue for all Thunderbird users who are relying on S/MIME (and
> sending HTML emails)?
> That said, the attack is an active MITM attack. The attacker needs to
> modify your emails. You can also detect it. So, it's a crude attack from an
> attacker's viewpoint.
> Good news is that it's simple to mitigate. Simply enable View | Message
> Body as | Simple HTML, and the attack will no longer work. This feature
> neutralizes the attack in 2 different ways. If security is important to
> you, you should enable that anyways, as it neutralizes whole classes of
No. That is not the way to address a security issue.
Products have to ship in a secure state to be considered secure. If that is
the setting that is secure, that should be enforced in code.
There is no reason to ever split a HTML body across MIME boundaries and I
cannot believe any existing mail client does anything close. So the obvious
fix is to make it a requirement that the HTML be all in one MIME part.
The Thunderbird S/MIME implementation is utterly horrid. configuring TBird
to use certs was a 20 minute process last time I cared to try. And none of
that is necessary.
There are current discussions on how to make S/MIME fit for use. I think it
very likely that we will see something like ACME emerge but for SMTP and
that there will be free certificate providers.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tb-planning