If you’re using S/MIME, PGP, or GPG encryption for messages in Apple’s Mail app or other email client apps, you could be susceptible to what’s being called Efail. The security flaw could expose the contents of encrypted email messages as plain text. You can protect your messages until app updates addressing the flaw are released, and it’s easy to do.
What is Efail
Efail is a security flaw in S/MIME, PGP, and GPG that uses a URL to call back to a remote server for an image in a way that exposes plain text versions of encrypted email messages—both current and past. It affects Apple’s Mail app, along with Mozilla Thunderbird with the Enigmail plug-in, along with Outlook with Gpg4win.
The flaw doesn’t seem to be in the encryption algorithm, but instead in the way email apps request and process the remote content request.
If you rely on encrypted email for sensitive communication you should consider an alternate method, such as Apple’s Messages, WhatsApp, or Signal. Those apps all offer end-to-end encryption to keep your messages away from prying eyes.
Getting Efail to work requires encryption key to have already been shared. That happens automatically when both the sender and receiver have previously communicated with encrypted email messages. In other words, you already exchanged public keys.
That means a random hacker can’t use the Efail flaw to decrypt your email messages.
Mail’s Efail Temporary Workaround
If completely removing your email encryption tool seems a little too extreme, you can disable Mail’s option to load remote content in messages. Here’s how:
- Launch Mail on your Mac
- Go to Mail > Preferences
- Select the Viewing tab
- Uncheck Load remote content in messages
A lot of your Mail messages will look pretty plain, but you won’t be susceptible to Efail while waiting for a security patch. The upside is that you can still view the contents of encrypted messages.
Removing GPGTools and Enigmail Plug-ins
If you’re using Apple’s Mail app with GPGTools, here’s how to remove the plug-in:
- Quit the Mail app
- Choose Go > Go to Folder in the Finder
- Enter ~/Library/Mail/Bundles in the Go to the folder field
- Click Go
- Move GPGMail.mailbundle to the Trash
Here’s how to remove Enigmail in Thunderbird:
- Launch Thunderbird
- Click the three stacked bars icon, also called a hamburger button, and select Add-Ons
- Click Disable next to Enigmail
You’ll be protected from Efail flaw, but won’d be able to view the contents of encrypted messages after removing GPGTools or Enigmail.
Patches are in the works to fix the Efail flaw and should be available soon. And if you don’t use email encryption tools, you don’t have to worry about Efail at all.