From: Molly de Blanc <molly@fsf.org>
Date: Mon, 18 Jun 2018 14:28:10 +0000 (-0400)
Subject: updated ESD in light of post-EFAIL security vulnerabilities around spoofing signatures.
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=c0c01f86dad3faddb94399f7b877f79a036bd03b;p=enc-live.git

updated ESD in light of post-EFAIL security vulnerabilities around spoofing signatures.
---

diff --git a/en/index.html b/en/index.html
index 23ca960..6f99749 100644
--- a/en/index.html
+++ b/en/index.html
@@ -157,6 +157,9 @@ but provide extra features.</p>
 <p>If you already have an email program, you can skip to <a
 href="#step-1b">Step 1.b</a>.</p>
 
+<p class="notes">There are serious security flaws in GnuPG versions prior to 2.2.8. Install GnuPG versions 2.2.8 or 1.4.23 or later. There are also known issues with GPGTools prior to 2018.3. Make sure you have the most recent version of GPGTools.</p>
+
+
 </div><!-- End .section-intro -->
 
 <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
@@ -238,7 +241,7 @@ so, skip this step.</p>
 <p>If not, search "Enigmail" with the search bar in the upper right. You
 can take it from here. Restart your email program when you're done.</p>
 
-<p>Enigmail versions prior to 2.0.6 have serious security issues. Make sure to install version 2.0.6 or later. The current version is 2.0.6.1.</p>
+<p>Enigmail versions prior to 2.0.7 have serious security issues. Make sure to install version 2.0.7 or later.</p>
 
 <!-- ~~~~~~~~~ Troubleshooting ~~~~~~~~~ -->
 <div class="troubleshooting">
@@ -659,7 +662,7 @@ independent of the actual email.</p>
 
 <p>For greater security against potential attacks, you can turn off
 HTML. Instead, you can render the message body as plain text. In order
-to do this in Thunderbird, go to View > Message Body As > Plain
+to do this in Thunderbird, go to View &gt; Message Body As &gt; Plain
 Text.</p>
 
 </div><!-- End .main -->
@@ -833,15 +836,15 @@ and choosing Key Properties. It's good practice to share your fingerprint
 wherever you share your email address, so that people can double-check that
 they have the correct public key when they download yours from a keyserver.</p>
 
-<p class="notes">You may also see public keys referred to by their key ID,
-which is simply the last eight digits of the fingerprint, like C09A61E8 for
-Edward. The key ID is visible directly from the Key Management window. This
-key ID is like a person's first name (it is a useful shorthand but may not be
-unique to a given key), whereas the fingerprint actually identifies the key
-uniquely without the possibility of confusion. If you only have the key ID,
-you can still look up the key (as well as its fingerprint), like you did in
-Step 3, but if multiple options appear, you'll need the fingerprint of the
-person to whom you are trying to communicate to verify which one to use.</p>
+<p class="notes">You may also see public keys referred to by a shorter
+key ID. This key ID is visible directly from the Key Management
+window. These eight character key IDs were previously used for
+identification, which used to be safe, but is no longer reliable. You
+need to check the full fingerprint as part of verifying you have the
+correct key for the person you are trying to contact. Spoofing, in
+which someone intentionally generates a key with a fingerprint whose
+final eight characters are the same as another, is unfortunately
+common.</p>
 
 </div><!-- End .main -->
 </div><!-- End #step-identify_keys .step-->
diff --git a/en/mac.html b/en/mac.html
index af17731..65f03fd 100644
--- a/en/mac.html
+++ b/en/mac.html
@@ -155,6 +155,8 @@ you can access in a browser (like Gmail), but provide extra features.</p>
 <p>If you already have an email program, you can skip to <a
 href="#step-1b">Step 1.b</a>.</p>
 
+<p class="notes">There are serious security flaws in GnuPG versions prior to 2.2.8. Install GnuPG versions 2.2.8 or 1.4.23 or later. There are also known issues with GPGTools prior to 2018.3. Make sure you have the most recent version of GPGTools.</p>
+
 </div><!-- End .section-intro -->
 
 <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
@@ -241,7 +243,7 @@ so, skip this step.</p>
 <p>If not, search "Enigmail" with the search bar in the upper right. You
 can take it from here. Restart your email program when you're done.</p>
 
-<p>Enigmail versions prior to 2.0.6 have serious security issues. Make sure to install version 2.0.6 or later. The current version is 2.0.6.1.</p>
+<p>Enigmail versions prior to 2.0.7 have serious security issues. Make sure to install version 2.0.7 or later.</p>
 
 <!-- ~~~~~~~~~ Troubleshooting ~~~~~~~~~ -->
 <div class="troubleshooting">
@@ -822,15 +824,15 @@ and choosing Key Properties. It's good practice to share your fingerprint
 wherever you share your email address, so that people can double-check that
 they have the correct public key when they download yours from a keyserver.</p>
 
-<p class="notes">You may also see public keys referred to by their key ID,
-which is simply the last eight digits of the fingerprint, like C09A61E8 for
-Edward. The key ID is visible directly from the Key Management window. This
-key ID is like a person's first name (it is a useful shorthand but may not be
-unique to a given key), whereas the fingerprint actually identifies the key
-uniquely without the possibility of confusion. If you only have the key ID,
-you can still look up the key (as well as its fingerprint), like you did in
-Step 3, but if multiple options appear, you'll need the fingerprint of the
-person to whom you are trying to communicate to verify which one to use.</p>
+<p class="notes">You may also see public keys referred to by a shorter
+key ID. This key ID is visible directly from the Key Management
+window. These eight character key IDs were previously used for
+identification, which used to be safe, but is no longer reliable. You
+need to check the full fingerprint as part of verifying you have the
+correct key for the person you are trying to contact. Spoofing, in
+which someone intentionally generates a key with a fingerprint whose
+final eight characters are the same as another, is unfortunately
+common.</p>
 
 </div><!-- End .main -->
 </div><!-- End #step-identify_keys .step-->
diff --git a/en/windows.html b/en/windows.html
index 3704ff1..a031a8d 100644
--- a/en/windows.html
+++ b/en/windows.html
@@ -155,6 +155,8 @@ you can access in a browser (like Gmail), but provide extra features.</p>
 <p>If you already have an email program, you can skip to <a
 href="#step-1b">Step 1.b</a>.</p>
 
+<p class="notes">There are serious security flaws in GnuPG versions prior to 2.2.8. Install GnuPG versions 2.2.8 or 1.4.23 or later. There are also known issues with GPGTools prior to 2018.3. Make sure you have the most recent version of GPGTools.</p>
+
 </div><!-- End .section-intro -->
 
 <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
@@ -241,7 +243,7 @@ so, skip this step.</p>
 <p>If not, search "Enigmail" with the search bar in the upper right. You
 can take it from here. Restart your email program when you're done.</p>
 
-<p>Enigmail versions prior to 2.0.6 have serious security issues. Make sure to install version 2.0.6 or later. The current version is 2.0.6.1.</p>
+<p>Enigmail versions prior to 2.0.7 have serious security issues. Make sure to install version 2.0.7 or later.</p>
 
 <!-- ~~~~~~~~~ Troubleshooting ~~~~~~~~~ -->
 <div class="troubleshooting">
@@ -813,6 +815,7 @@ type="reset" value="reset" name=".reset"></p>
 
 <h3>Identifying keys: Fingerprints and IDs</h3>
 
+
 <p>People's public keys are usually identified by their key fingerprint,
 which is a string of digits like F357AA1A5B1FA42CFD9FE52A9FF2194CC09A61E8
 (for Edward's key). You can see the fingerprint for your public key, and
@@ -822,15 +825,15 @@ and choosing Key Properties. It's good practice to share your fingerprint
 wherever you share your email address, so that people can double-check that
 they have the correct public key when they download yours from a keyserver.</p>
 
-<p class="notes">You may also see public keys referred to by their key ID,
-which is simply the last eight digits of the fingerprint, like C09A61E8 for
-Edward. The key ID is visible directly from the Key Management window. This
-key ID is like a person's first name (it is a useful shorthand but may not be
-unique to a given key), whereas the fingerprint actually identifies the key
-uniquely without the possibility of confusion. If you only have the key ID,
-you can still look up the key (as well as its fingerprint), like you did in
-Step 3, but if multiple options appear, you'll need the fingerprint of the
-person to whom you are trying to communicate to verify which one to use.</p>
+<p class="notes">You may also see public keys referred to by a shorter
+key ID. This key ID is visible directly from the Key Management
+window. These eight character key IDs were previously used for
+identification, which used to be safe, but is no longer reliable. You
+need to check the full fingerprint as part of verifying you have the
+correct key for the person you are trying to contact. Spoofing, in
+which someone intentionally generates a key with a fingerprint whose
+final eight characters are the same as another, is unfortunately
+common.</p>
 
 </div><!-- End .main -->
 </div><!-- End #step-identify_keys .step-->