Efail – safe with gpg4o
On Monday 16th 2018 press releases suggested that both OpenPGP and S/MIME have been broadly compromised by the efail scenarios. Unfortunately these news have been spread without explaining the technical background. On accurate inspection one must say that those standard themselves have not been directly compromised. The attacks described do need some steps to implement and they need an insufficient collaboration between the mailclient and the cryptografic library. Some even need user interaction.
Extensive Tests with gpg4o showed that it contains a minor risk while using an older GnuPG version of the 1.4 family. Users using GnuPG 2.1/2.2 are safe.
User that want to be safe right now should make an upgrade to the actual GnuPG family 2.2. The latest certified version for the use with gpg4o can be found here.
For user who want to keep their current 1.4 GnuPG family, an against efail protected version 5.3.1 is distributed via the automatic update since yesterday.
For your own safety, please make sure that your PGP communication partner also has an encryption solution that is not affected by efail.
Confidentiality and integrity of the confidential data, encrypted with gpg4o are our highest priority. This and a high usability are the major reasons for thousands of customers around the world to rely on gpg4o. In our continuous improvement process we are committed in all future releases to maintain and enhance this protection of our customers data wherever necessary.