Today, security researchers disclosed vulnerabilities, collectively called EFAIL, in how the decryption and display of PGP-encrypted emails are handled in multiple email clients (see EFAIL website, EFAIL paper). SecureDrop submissions are not sent via email, and can only be decrypted on the air-gapped Secure Viewing Station, so the content of submissions is not impacted by this vulnerability. This includes the content of messages from and to sources sent via the SecureDrop user interface.
However, SecureDrop does use GPG-encrypted emails for OSSEC security alerts to administrators, and some SecureDrop users receive messages from our support portal that are GPG-encrypted. Beginning in SecureDrop 0.7.0, to be released tomorrow, Tuesday May 15, 2018, journalists can also optionally receive GPG-encrypted alerts about new submissions (these do not contain any submission content or metadata).
Please read on for important security mitigation steps administrators and journalists should undertake concerning these uses of GPG-encrypted emails within the context of SecureDrop.
How the EFAIL attack works
To obtain decrypted message content, an attacker must first intercept email traffic or obtain encrypted email content by other means. The attacker must then send a carefully crafted email to the victim, which includes the encrypted content they wish to decrypt.
In a vulnerable email setup, the email will be decrypted and displayed upon opening it, and in the process, decrypted content will be exfiltrated to an external server. The exfiltration is performed using embedded images, forms, styles, or other HTML content; it may or may not require user interaction.
How you can protect yourselfThe three most important steps you can take to securely decrypt PGP/GPG-encrypted emails are:
Apply software updates (both to email clients and GPG integrations such as GPGTools, Enigmail or GPG4Win) as they become available.
If enabled, disable remote loading of content within emails.
Disable viewing emails in HTML format (opt for viewing emails as plain text instead).
Based on our current understanding of the EFAIL vulnerability, you can safely decrypt email within your mail client if you have taken these steps; however, this high-profile vulnerability may lead to follow-up discoveries, and we will update this post as new information becomes available.
If you have any questions, please don't hesitate to contact us. If you are on-boarded to the SecureDrop support portal, please feel free to open an issue there; otherwise, we encourage you to ask questions in the SecureDrop community forums or to contact us at firstname.lastname@example.org (GPG-encrypted).
Instructions for different email clients
While Mailvelope does load external resources embedded in decrypted messages, according to a maintainer, Mailvelope is not directly vulnerable to EFAIL OpenPGP attacks, except with very old (>15 years) keys. The Mailvelope team is working on additional security mitigations.
macOS Mail and GPG Tools
Warning: GPG Tools has not yet been patched against EFAIL OpenPGP attacks, and is currently vulnerable (a patch is in development).
To disable remote loading of content, uncheck the “Load remote content in messages” preference under Mail → Preferences → Viewing:
Screenshot credit: GPG Tools Website
It is not possible to enforce a preference for plain text emails in this application. To decrease your risk, we recommend switching to a different email client that lets you enforce this preference (e.g., Thunderbird and Enigmail). If you continue using Apple Mail, avoid interacting with encrypted emails (e.g., clicking on links or other email content), or disable the GPG Tools integration and decrypt emails manually.
Thunderbird and Enigmail
The current release of Enigmail (as of this writing: 2.0.3, released May 8, 2018) includes mitigation against OpenPGP EFAIL attacks, except for keypairs using non-default ciphers. Remote loading of content is disabled by default in recent releases of Thunderbird.Viewing emails in plain text provides additional risk mitigation. To enforce the display of emails in plain text format instead of HTML, use the option View → Message Body As → Plain Text. Once set, this will remain your viewing preference until you change it.
To ensure remote content loading is disabled (the default), navigate to Preferences → Privacy. Ensure the checkbox “Allow remote content in messages” is not set.
If you use Thunderbird from within a Tails workstation, note that the version of Enigmail shipping with Tails 3.7 does not include mitigation against EFAIL. However, Thunderbird in Tails ships with the TorBirdy extension, which disables HTML email by default, rendering EFAIL attacks ineffective. We recommend that you verify the configuration options above (remote content loading and plain text display) within your Tails workstation before decrypting email within Thunderbird in Tails.
Outlook and Gpg4Win
As of this writing, except with very old versions of Outlook, the combination of Outlook and Gpg4Win does not appear to be vulnerable to EFAIL OpenPGP attacks.
To disable remote loading of content, navigate to Options → Trust Center. Under “Microsoft Outlook Trust Center”, click “Trust Center Settings”. Clear the checkbox that says “Don't download pictures automatically in HTML email messages or RSS items”. Further, select “Email Security” in the left pane. In the “Read as Plain Text” section, check the “Read all standard mail in plain text” to disable messages from being viewed as HTML.
Updated May 15, 2018: Added information about the Thunderbird and Enigmail versions that ship with Tails 3.7.