Today, security researchers disclosed vulnerabilities, collectively called EFAIL, in how the decryption and display of PGP-encrypted emails are handled in multiple email clients (see EFAIL website, EFAIL paper). SecureDrop submissions are not sent via email, and can only be decrypted on the air-gapped Secure Viewing Station, so the content of submissions is not impacted by this vulnerability. This includes the content of messages from and to sources sent via the SecureDrop user interface.
However, SecureDrop does use GPG-encrypted emails for OSSEC security alerts to administrators, and some SecureDrop users receive messages from our support portal that are GPG-encrypted. Beginning in SecureDrop 0.7.0, to be released tomorrow, Tuesday May 15, 2018, journalists can also optionally receive GPG-encrypted alerts about new submissions (these do not contain any submission content or metadata).
Please read on for important security mitigation steps administrators and journalists should undertake concerning these uses of GPG-encrypted emails within the context of SecureDrop.
How the EFAIL attack works
To obtain decrypted message content, an attacker must first intercept email traffic or obtain encrypted email content by other means. The attacker must then send a carefully crafted email to the victim, which includes the encrypted content they wish to decrypt.
In a vulnerable email setup, the email will be decrypted and displayed upon opening it, and in the process, decrypted content will be exfiltrated to an external server. The exfiltration is performed using embedded images, forms, styles, or other HTML content; it may or may not require user interaction.
How you can protect yourselfThe three most important steps you can take to securely decrypt PGP/GPG-encrypted emails are:
Apply software updates (both to email clients and GPG integrations such as GPGTools, Enigmail or GPG4Win) as they become available.
If enabled, disable remote loading of content within emails.
Disable viewing emails in HTML format (opt for viewing emails as plain text instead).
Based on our current understanding of the EFAIL vulnerability, you can safely decrypt email within your mail client if you have taken these steps; however, this high-profile vulnerability may lead to follow-up discoveries, and we will update this post as new information becomes available.
If you have any questions, please don't hesitate to contact us. If you are on-boarded to the SecureDrop support portal, please feel free to open an issue there; otherwise, we encourage you to ask questions in the SecureDrop community forums or to contact us at email@example.com (GPG-encrypted).
Instructions for different email clients
While Mailvelope does load external resources embedded in decrypted messages, according to an official blog post, Mailvelope is not directly vulnerable to EFAIL OpenPGP attacks, except with very old (>15 years) keys. The Mailvelope team is working on additional security mitigations.
macOS Mail and GPG Tools (AKA GPG Suite)
To disable remote loading of content, uncheck the “Load remote content in messages” preference under Mail → Preferences → Viewing:
Screenshot credit: GPG Tools Website
While this mitigates against a certain class of attacks, it is not possible to enforce a preference for plain text emails in Apple Mail, and a proof-of-concept exploit exists that works even with remote content disabled. As of June 4, 2018, a patched version of GPG Tools (AKA GPG Suite) exists, but "only our users on macOS High Sierra will benefit from these mitigations".
If a patched version for your version of macOS is not available, we recommend that you disable the GPG Tools (AKA GPG Suite) integration and decrypt emails manually, or switch to a different email client like Thunderbird/Enigmail.
Thunderbird and Enigmail
The current release of Enigmail (as of May 25, 2018: 2.0.5, released May 21, 2018) includes mitigation against all known EFAIL attacks. Remote loading of content is disabled by default in recent releases of Thunderbird.Viewing emails in plain text provides additional risk mitigation. To enforce the display of emails in plain text format instead of HTML, use the option View → Message Body As → Plain Text. Once set, this will remain your viewing preference until you change it.
To ensure remote content loading is disabled (the default), navigate to Preferences → Privacy. Ensure the checkbox “Allow remote content in messages” is not set.
If you use Thunderbird from within a Tails workstation, note that the version of Enigmail shipping with Tails 3.7 does not include mitigation against EFAIL. However, Thunderbird in Tails ships with the TorBirdy extension, which disables HTML email by default, rendering EFAIL attacks ineffective. We recommend that you verify the configuration options above (remote content loading and plain text display) within your Tails workstation before decrypting email within Thunderbird in Tails.
Outlook and Gpg4Win
As of this writing, except with very old versions of Outlook, the combination of Outlook and Gpg4Win does not appear to be vulnerable to EFAIL OpenPGP attacks. See the detailed statement from the Gpg4Win developers.
To disable remote loading of content, navigate to Options → Trust Center. Under “Microsoft Outlook Trust Center”, click “Trust Center Settings”. Clear the checkbox that says “Don't download pictures automatically in HTML email messages or RSS items”. Further, select “Email Security” in the left pane. In the “Read as Plain Text” section, check the “Read all standard mail in plain text” to disable messages from being viewed as HTML.
Updated May 15, 2018: Added information about the Thunderbird and Enigmail versions that ship with Tails 3.7.
Updated May 25, 2018: Added information about Enigmail 2.0.5, an Apple Mail proof-of-concept exploit, and links to official statements for Gpg4Win and Mailvelope. Updated our Apple Mail recommendation consistent with the existence of a proof-of-concept exploit.
Updated June 12, 2018: Added information about GPG Suite 2018.2.