/article-new/2018/05/GPGMail-250x250.jpg?lossy)
Security researchers are warning users of PGP/GPG email encryption plugins not to use the software, after critical vulnerabilities were discovered that could potentially be used reveal the plaintext of encrypted emails.
The official advice from security researchers is to disable and/or uninstall the affected software until the vulnerabilities are disclosed and fixes can be issued. In the meantime, users are advised to seek alternative end-to-end encrypted channels such as Signal to send and receive sensitive content.
This short how-to guides users through the steps necessary to remove the popular open-source encryption plugin GPG Tools (GPGMail) from Apple Mail. It requires deleting a "bundle" file used by the app. Users' existing encryption keys are not affected by the procedure and will remain on their hard disk. GPGTools has also since published a temporary workaround that it believes mitigates against similar so-called "Efail" attacks.
How to Uninstall GPG Tools from Apple Mail
- Quit Apple Mail if it is running (Mail -> Quit Mail in the menu bar).
- Click on the desktop and in the Finder menu bar, select Go -> Go to Folder....
- In the Go to Folder dialog that appears, type /Library/Mail/Bundles and click Go.
- Delete the GPGMail.mailbundle file by either dragging it to the trash in your dock or by right-clicking (Ctrl-clicking) it and selecting Move to Trash in the contextual dropdown menu. If you don't see the mailbundle file, return to the previous step but type ~/Library/Mail/Bundles in the Go to Folder dialog (note the tilde (~) character denotes your home folder).
- Enter your administrator password if prompted to confirm the action.
/article-new/2018/05/go-to-folder-menu-bar-800x573.jpg?lossy)
/article-new/2018/05/go-to-mail-folder-800x320.jpg?lossy)
/article-new/2018/05/delete-mailbundle-gpg-800x581.jpg?lossy)
After following the above steps, the GPG Tools email plugin will be gone from Apple Mail the next time you launch the client.
Top Rated Comments
That’s not good. But uninstalling is an overreaction. Wait for a fix.
Agreed. This article seems akin to "Researchers have discovered that seatbelts don't always work - here's how to cut them out of your car" (the dealer will really appreciate that when you take it in for repair). Well, great, when they come up with an updated app, it'll be harder to get it installed. How about just hold off on encrypting things for a bit.[doublepost=1526316516][/doublepost]
The official advice from security researchers is to disable and/or uninstall the affected software until the vulnerabilities are disclosed and fixes can be issued. In the meantime, users are advised to seek alternative end-to-end encrypted channels ...
This article seems ill-advised. How about telling people how to temporarily disable the software, rather than rushing through a multi-step process to delete it?This short how-to guides users through the steps necessary to remove the popular open-source encryption plugin GPG Tools (GPGMail) ('https://gpgtools.org') from Apple Mail.
It is also unclear whether my encrypted emails are affected since I use plaintext emails by default.
If, as the researchers claim, any previously send Email is at risk, removing the software now does not magically makes these Emails secure.
At the moment too little is known to fully understand the problem. Most security problems require certain elements to make an attack successful in the wild. From what I have gathered so far, the attack is successful against MIME-encoded Emails. So changing your Email-settings to send them as 'plain-text' may be far more effective than blindly uninstalling PGP.
I don't think removing PGP is solving any problem.
As I understand it, the uninstall advice from EFF seems to be a protective measure for people who expect the encryption to 'just work' in their mail app of choice. At least this way they know their emails aren't secure and can choose a different means of communicating. Signal does seem a good alternative for now.If, as the researchers claim, any previously send Email is at risk, removing the software now does not magically makes these Emails secure.