Digital Security Exchange

Update, July 2018: If you’re using Thunderbird and the Enigmail plugin to encrypt your email, the EFF says it’s safe to turn PGP encryption back on. If you’re using Apple Mail, they recommend holding off. For other clients, their advice remains the same as always: “If you depend on your email client to decipher PGP messages, make sure it doesn’t decode HTML mail, and check with its creators to see whether they’ve been working on protecting against EFAIL.”

This week, security researchers released information about vulnerabilities in PGP email clients that could expose past or future content, even if it was encrypted, dubbing the flaw “Efail.” Please take the time to read this quick note about what the PGP email threat is and how to take action.

The Electronic Frontier Foundation, in a report this week, warned users of major email clients to disable or uninstall PGP plugins and switch to another secure communication method. The list of email clients includes Thunderbird with Enigmail, Mac OS, and Gpg4win for Windows.

There’s a robust discussion within the security community about the ramifications of this vulnerability and what users need to do in response. From our perspective, it’s best to be conservative and avoid using encrypted email until these issues are resolved.


If you choose to continue using email, encrypting it using PGP is still much better than not encrypting it at all. But do the following:

Please follow us on Twitter or join our mailing list for more updates.