R2Mail2 efail mitigation

Skip to first unread message

Stefan Selbitschka

May 14, 2018, 2:18:56 PM5/14/18
to R2Mail2 BETA Test
As you have noticed a new security breach hype named "efail" found its way to the press. Since this is related to MUA and S/MIME and PGP R2Mail2 is vulnerable. The authors informed me 2 month ago and I tried to fix the security problems as far as possible but I have not disabled HTML for encrypted E-Mail yet.

So please consider the following:
- Upgrade to version >= 2.40.264
- Disable HTML view (Settings->Display->View HTML content by default->off)
- Do not download remote content

This does not fix the problem itself, because this is based on the CBC or CBF cipher modes used in S/MIME and PGP and not within the MUA, but it makes exfiltration of plain text more difficult.

I will consider to disable HTML for encrypted E-Mail in the future, if there will be no other fixes or workaround.

If you have particular questions do not hesitate to ask. I will publish some more infos as soon as the paper is published.




May 15, 2018, 3:29:23 PM5/15/18
to R2Mail2 BETA Test
Thank you for letting us know. I was about to ask the same question.
It was nice of the authors to let you and other security software know about the problem in advance.
Please continue to inform us about what you intend to do about it.
Reply all
Reply to author
0 new messages