So my major lesson learned from the #gpg/#pgp thing today is not to trust warnings by EFF in the future – while parts of their warning were factually correct, they were baiting for attention in annoying and unhelpful ways.
This culture of publishing exploits and issues in a publicicty focused way is disturbing. I had hoped the EFF was beyond this needless hyping of vulns. Apparently not.
A part of their information strategy is that they recommended to stop using #GPG/#PGP over stopping the mail client from rendering HTML (or loading external sources in HTML). That's disturbing.
(Also that they let themselves be roped into a publicity campaign.)
@rixx How is this disturbing? So many mails rely on HTML nowadays. It isn't realistic for most people to have HTML gibberish all. over their screens. Most GPG users have probably not actively used GPG in months.
@natanji At least Thunderbird (probably the other two, too) supports blocking external resources from HTML mails, which is a good security default anyways. By not offering this as an alternative, EFF says clearly that they value encryption less highly than displaying HTML. I'd have expected at least a sentence on discussing this, and offering similar guides for disabling third party/external resources from HTML mails.
@rixx @natanji If I recall correctly, Thunderbird even blocks loading external resources by default, which is a modern requirement anyways (against tracking), but also stops the attack.
The efail paper claims Thunderbird to be vulnerable, but gives no further details.
IMHO that is an extraordinary claim that would necessitate extraordinary proof.
(I know that Mario/Cure53 was looking into exactly this area from the privacy perspective some time ago and didn't find anything.)