I developed a proof-of-concept exploit that works against Apple Mail and GPGTools even when remote-content loading is disabled (German security researcher Hanno Böck also deserves much of the credit for this exploit - more on that below). Similarly, the creator of PGP, Phil Zimmermann, co-signed a blog post Thursday stating that EFAIL was “easy to mitigate” by disabling the loading of remote content in GPGTools.īut even if you follow this advice and disable remote content, Apple Mail and GPGTools are still vulnerable to EFAIL. GPG Suite 2018.2 which mitigates against this attack is coming very soon. "Efail": as a temporary workaround against "efail" ( ), disable "Load remote content in messages" in Mail ? Preferences ? Viewing. The day the EFAIL paper was published, GPGTools instructed users to workaround EFAIL by changing a setting in Apple Mail to disable loading remote content: And developers of email clients and encryption plug-ins are still scrambling to come up with a permanent fix.Īpple Mail is the email client that comes free with every Mac computer, and an open source project called GPGTools allows Apple Mail to smoothly encrypt and decrypt messages using the 23-year-old PGP standard. It’s been nearly two weeks since a group of European researchers published a paper describing “EFAIL,” a set of critical software vulnerabilities that allow encrypted email messages to be stolen from within the inbox. If you use an older version of macOS, GPGTools is still vulnerable. If you use macOS High Sierra, Apple Mail, and GPGTools, it should be safe to use PGP again if you update to the latest version of everything. Update: Since this article was published, GPGTools released version 2018.2 which appears to successfully mitigate the OpenPGP EFAIL attack for macOS High Sierra users.
0 Comments
Leave a Reply. |