[Users] Efail: Claws Mail status

Brad Rogers brad at fineby.me.uk
Thu May 17 11:20:11 CEST 2018


On Thu, 17 May 2018 10:16:52 +0200
Colin Leroy <colin at colino.net> wrote:

Hello Colin,

>Therefore I think it is completely safe. I'll ask the GnuPG people just
>to make sure.

Werner Koch recently posted the following table on the GnuPG list
(which he got from the original paper, I believe);

--8<---------------cut here---------------start------------->8---
          TABLE OF VULNERABLE MAIL CLIENTS

| OS      | Client          | S/MIME | PGP               |  
|         |                 |        | -MDC | +MDC | SE  |  
|---------+-----------------+--------+------+------+-----|
| Windows | Outlook 2007    | yes    | yes  | yes  | no  |  
|         | Outlook 2010    | yes    | no   | no   | no  |
|         | Outlook 2013    | user   | no   | no   | no  |
|         | Outlook 2016    | user   | no   | no   | no  |
|         | Win. 10 Mail    | yes    | –    | –    | –   |
|         | Win. Live Mail  | yes    | –    | –    | –   |
|         | The Bat!        | user   | no   | no   | no  |
|         | Postbox         | yes    | yes  | yes  | yes |
|         | eM Client       | yes    | no   | yes  | no  |
|         | IBM Notes       | yes    | –    | –    | –   |  
| Linux   | Thunderbird     | yes    | yes  | yes  | yes |  
|         | Evolution       | yes    | no   | no   | no  |
|         | Trojitá         | yes    | no   | no   | no  |
|         | KMail           | user   | no   | no   | no  |
|         | Claws           | no     | no   | no   | no  |
|         | Mutt            | no     | no   | no   | no  |  
| macOS   | Apple Mail      | yes    | yes  | yes  | yes |  
|         | MailMate        | yes    | no   | no   | no  |
|         | Airmail         | yes    | yes  | yes  | yes |  
| iOS     | Mail App        | yes    | –    | –    | –   |  
|         | Canary Mail     | –      | no   | no   | no  |  
| Android | K-9 Mail        | –      | no   | no   | no  |  
|         | R2Mail2         | yes    | no   | yes  | no  |
|         | MailDroid       | yes    | no   | yes  | no  |
|         | Nine            | yes    | –    | –    | –   |  
| Webmail | United Internet | –      | no   | no   | no  |  
|         | Mailbox.org     | –      | no   | no   | no  |
|         | ProtonMail      | –      | no   | no   | no  |
|         | Mailfence       | –      | no   | no   | no  |
|         | GMail           | yes    | –    | –    | –   |  
| Webapp  | Roundcube       | –      | no   | no   | yes |  
|         | Horde IMP       | user   | no   | yes  | yes |
|         | AfterLogic      | –      | no   | no   | no  |
|         | Rainloop        | –      | no   | no   | no  |
|         | Mailpile        | –      | no   | no   | no  |  


-    = Encryption not supported
no   = Not vulnerable
yes  = Vulnerable
user = Vulnerable after user consent

-MDC = with stripped MDC, +MDC = with wrong MDC, SE = SE packets
--8<---------------cut here---------------end--------------->8---

As you can see, Claws is safe.  Werner goes on to say that S/MIME is at
greater risk than PGP, but even then, Claws, The Bat! and a couple of
others are safe.

Further, talks are underway on the GnuPG list to determine what can be
done, if anything, to mitigate against any potential damage from efail.
From what I understand (not too much;  most of it is quite technical),
it looks hopeful.

-- 
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
Life's short, don't make a mess of it
No Time To Be 21 - The Adverts
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20180517/7edca650/attachment.sig>


More information about the Users mailing list