Popular PGP Email add-on Enigmail addresses security gaps
You might be familiar with Enigmail, the popular add-on to the Thunderbird email program that allows public-key encryption of email. If you haven't heard of it, it's worth investigating - Enigmail is an important upgrade to your email experience. And if you're already using it then you should upgrade, because several encryption flaws were found, and have recently been patched.An Enigmail user who reported one of the encryption failures in version 1.7 on the project's support forum described the situation as "the biggest imaginable catastrophe."That's a bit hyperbolic perhaps. But it's still a good time to keep your encryption up to date. Unless you agree with security researcher Matthew Green, who thinks PGP sucks and it's time for it to die.
"I am currently preparing a crypto class for journalists next week to teach them how to use safe email," the user wrote. "HOW am I going to explain that? A system tells the user in a separate window as well as in a menu line that everything will be encrypted but then it simply FORGOT to ENCRYPT and, ooops, their report will be intercepted and their source will be tortured?"
Besides being suddenly very slow, it is now saving *all* drafts as encrypted even the one sent to people not using PGP. I don't know what's going on, but the end result seems to be that if the mail I'm writing has embedded images (*not* distant online images, just inline in the flow of the text), as soon as it is auto-saved in the draft folder (after 2-3 minutes), the inline images become "broken" (white square with dead link symbol).
The solution I've seen so far ? don't use html in emails, just plain text. But that doesn't fit very well in my workflow of sending inline graphs with comments around.
I downgraded to 1.7 since I'm don't feel impacted by the bugs (I never used the encryption, only the signing) and it's working fine. I'll try to fill a bug whenever I've time.
Sorry for the Friday morning's rant ... seriously :-)