Enigmail sends crypted e-mails in clear text

A fatal bug within the popular Thunderbird extension Enigmail can cause mails that shall be encrypted will be send in plain text. Anyone who relies on privacy and sends confidential or even secret information will risks that the mails can be read by third parties.


Advertising

German IT news magazine reported the incident here. The bug is located within the so-called junior mode, which is active by default after the Enigmail installation. In this mode, the Pretty Easy Privacy (pEp) encryption method is used to simplify mail encryption and make it usable for everyone. It relieves the user of all setup steps and uses the established OpenPGP in the background. pEp was integrated into Enigmail in spring 2018.

The editors at heise.de recognized during writing an article about Enigmail for the print magazine, that there is a fatal bug in the Windows version. The problem is that when sending a mail, Enigmail suggests that encryption is active, but that the message is actually sent in plain text.

A status message at the bottom of the mail editor indicates whether encryption is used. If it says "Privacy status: Secure" or "Secure & Familiar", then there should be no doubt that the currently written mail is transmitted end-to-end encrypted. However, this is currently a fallacy – the message is sent in unencrypted in plain text.

heise.de was able to reproduce the issue several times reliably under Windows with the current Thunderbird 60 and the likewise current Enigmail version 2.0.8. Encrypted mails could not be sent in junior mode in any case. So the recommendation is: Don't use Enigmail in Junior modus to send encrypted mails. The Enigmail developers has published this blog post with more details and a workaround.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *