A reaction from GPG: https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
- Don’t use HTML mails.
- Use authenticated encryption.
Report publically up now @ https://efail.de/ . Looks like there is a lot of misinformation being spread.
GnuPG team statement: https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html
We made three statements about the Efail attack at the beginning. We’re
going to repeat them here and give a little explanation. Now that we’ve
explained the situation, we’re confident you’ll concur in our judgment.
This paper is misnamed. It’s not an attack on OpenPGP. It’s an
attack on broken email clients that ignore GnuPG’s warnings and do silly
things after being warned.
This attack targets buggy email clients. Correct use of the MDC
completely prevents this attack. GnuPG has had MDC support since the
summer of 2000.
The authors made a list of buggy email clients. It’s worth looking
over their list of email clients (found at the very end) to see if yours
is vulnerable. But be careful, because it may not be accurate – for
example, Mailpile says they’re not vulnerable, but the paper indicates
Mailpile has some susceptibility.
The authors have done the community a good service by cataloguing buggy
email email clients. We’re grateful to them for that. We do wish,
though, this thing had been handled with a little less hype. A whole
lot of people got scared, and over very little.
Mitigation for Enigmail / Thunderbird users: