EFail and Thunderbird, What You Need To Know

Yesterday, researchers and the press shared information describing security vulnerabilities that would enable an attacker to gain access to the plaintext of encrypted Emails. To understand how this happens, the researchers who uncovered EFail provide a good description on their website:

In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.

The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.

How to know if you’re affected

You’re affected only if you:

  • Are using S/MIME encryption or PGP encryption (through the Enigmail add-on)
  • And the attacker has access to encrypted Emails of yours

How to protect yourself


DO NOT DISABLE ENCRYPTION. 
We’ve seen recommendations from some outlets to stop using encrypted Email altogether. If you are sending sensitive data via Email, Thunderbird still recommends using encryption to keep those messages safe. You should, however, check the configuration of the applications you use to view encrypted EMail. For Thunderbird, follow our guidelines below to protect yourself.

Until Thunderbird 52.8 and 52.8.1 are released with fixes:

  • Keep remote content disabled in Thunderbird (the default) is advisable as it should mitigate the described attack vector.
  • Do not use the “allow now” option that pops up when remote content is encountered in your encrypted Emails.

Most of the EFail bugs require a back-channel and require the attacker to send a manipulated Email to you, which contains part of a previously obtained encrypted message. It is also worth noting that clicking content in the Email can also allow for a back-channel (until the fixes are live).

Enigmail version 2.0.3 also shows a warning now, which should help you be aware if you are affected.

 

15 responses

Post a comment

  1. Ben Bucksch wrote on :

    I’m working on a fix as I type this.

    The best mitigation right now is View | Message body as | Simple HTML.

    That stops this bug, and many others as well. It was specifically created to avoid entire classes of attacks, so it’s good to leave it enabled even when there is a specific fix for this bug, as it should protect against other future problems as well.

    Reply

  2. Óvári wrote on :

    Can you please advise the status of the build engineer?
    https://blog.mozilla.org/thunderbird/2018/03/were-hiring-a-build-engineer/
    Thank you

    Reply

  3. victorhck wrote on :

    Thanks for your answers…
    I’ll keep using plain-emails in Thunderbird with Enigmail, updated to latest version in my GNU/Linux system…

    Happy hackin’!

    Reply

  4. HeptaSean wrote on :

    The efail paper says on page 11 that Thunderbird allows exfiltration without user interaction.

    On pages 20 and 21 the authors provide more detail and claim that they successfully used a ” tag to bypass remote content blocking.

    Doesn’t that contradict your claim that disabling remote content is enough to protect against efail attacks?

    Reply

    1. Ryan Sipes wrote on :

      This may have been the case when the report was made, but as of 52.7 (our current release), this has been fixed.

      Reply

  5. yrro wrote on :

    Does the default include links with the rel=”preconnect” attribute?

    Reply

    1. Ryan Sipes wrote on :

      This was patched with the last release, 52.7.

      Reply

  6. Tree wrote on :

    I thought stable Thunderbird 60 was coming out yesterdary. Any ETA?

    Reply

    1. Ryan Sipes wrote on :

      Right now it is looking like early June.

      Reply

    2. Óvári wrote on :

      Thunderbird 60.0 Beta is available at:
      https://www.thunderbird.net/channel/


      Below is an approximate outline and order of our plans for the next few months:
      * release 52.8.0 (released at https://www.thunderbird.net/)
      * release 60.0b7, and 60.0b8 if needed, using Taskcluster build infrastructure [1]
      * release 52.8.1 for security updates that were not ready for 52.8.0
      * release 60.0 for manual updates only [2] (June)
      * release 60.1.0 and 52.9.0 (July)
      * release 60.2.0 and end of life for 52 (September)

      https://groups.google.com/forum/#!topic/tb-enterprise/Kdm_dMzASuY

      Reply

  7. David J. wrote on :

    Hello,

    I use Thunderbird (52.6.0) on a Debian stable, looking at the release sheet : https://www.thunderbird.net/en-US/thunderbird/releases/ , it looks like Thunderbird is currently in version 52.8.0.

    Any recommendation on how to best keep up withe the latest stable version?

    Is there anything that needs to be done on the user side? Is there any problem regarding build, build process or Debian stable package management that the community could help with in order to make sure that Thunderbird users on Debian benefits from the latest versions?

    Reply

  8. Wayne wrote on :

    As of Friday, version 52.8.0 is out with a good many security fixes https://www.thunderbird.net/en-US/thunderbird/52.8.0/releasenotes/

    Reply

  9. Gerald Reimer wrote on :

    I have tried to get Thunderbird on this S7+ apple i Phone. How do I this?

    Reply

  10. Harald Arnesen wrote on :

    E-mail is plain text. Period.

    Reply

  11. Greg Jaxon wrote on :

    E-mail is plain text. Period.

    “Ascii shall receive.” (Matt 7:7)

    Ironically, one defense is to encrypt your message bracketted by (respectively) ending and beginning quotes and html tag fragments to prevent the formation of URLs that embed your secret message.

    Would it not suffice to insist that each part of a multipart package be self-contained (i.e. that the part-splicer cause a full exit of the parser stack for any grammar operating on the spliced parts)?

    Reply

Post Your Comment