You are here

EFF has egg on face over PGP-S/MIME "EFAIL" hyberbole

Richi Jennings, Industry analyst and editor, RJAssociates

The Electronic Frontier Foundation is under fire this week, accused of over-hyping “EFAIL”—a set of vulnerabilities in email encryption tools based on PGP, GPG and S/MIME.

Stop using it, says the EFF. But critics are calling the warnings “overblown,” “disproportionate,” “irresponsible,” “a private vendetta,” and “an epic fail.”

What a palaver. In this week’s Security Blogwatch, we wonder who was still using PGP and S/MIME, anyway.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Barbarian Beef

How to Get the Most From Your Application Security Testing Budget

Pretty Ghastly Privacy; Stupid/MIME

What’s the craic? Ms. Smith warns of Critical PGP and S/MIME bugs:

EFAIL … is the reason you should stop using Pretty Good Privacy (PGP) … to decrypt your email, according to a group of researchers who discovered vulnerabilities that could be exploited to “reveal the plaintext of encrypted emails, including encrypted emails sent in the past.”

The EFF confirmed the vulnerabilities before urging users to take action. … The researchers had not intended to fully release the details just yet, but the Suddeutsche Zeitung newspaper broke an embargo.

Uh oh. Shaun Nichols sheepishly scribbles email app flaws menace PGP-encrypted chats:

The flaws, collectively dubbed EFAIL, are present in the way some email clients handle PGP and S/MIME encrypted messages. By taking advantage of the way the applications handle HTML content of these messages, an attacker could … decrypt your secret emails.

The vulnerability comes in two parts: an HTML exfiltration attack in which a snoop sends the target an email with specially crafted web mark-up language. … The second component, referred to as CBC/CFB gadget attack, potentially allows an attacker to send malformed data blocks that, when read by the target, would fool the email client into sending to the attacker's server the unencrypted contents of the message.

The S/MIME CBC vulnerability was given CVE-2017-17689. … The PGP CFB gadget attack [is] CVE-2017-17688.

Sky falling? Film at 11? The EFF’s Erica Portnoy, Danny O'Brien and Nate Cardozo squawk Not So Pretty:

Don’t panic! But you should stop using PGP for encrypted email … for now. … The proof of concept is only one implementation of this new type of attack, and variants may follow in the coming days. … We recommend that for now you uninstall or disable your PGP email plug-in.

PGP, which stands for “Pretty Good Privacy,” was first released nearly 27 years ago by Phil Zimmermann. … An open source implementation called GNU Privacy Guard (GPG) has been widely adopted by the security community.

Fixing this entirely is going to take time. … We are in an uncertain state, where it is hard to promise the level of protection users can expect of PGP.

We’re taking this latest announcement as a wake-up call to everyone in the infosec and digital rights communities … to unite and work together. … We’re also going to keep up our work improving the general security of the email ecosystem with initiatives like STARTTLS Everywhere.

“Pretty good privacy” is no longer enough. We all need to work on really good privacy, right now.

If anything, the problem is being downplayed, according to this Anonymous Coward:

Both OpenPGP and S/MIME standards are broken by bad design. The later completely, the first one due to later tacked on security-checking that wasn't always enforced and "warnings" still returned the encrypted text in any case.

And then the developer communities of OpenPGP implementations PGP, GPG act like complete idiots by downplaying and bad mouthing the research.

Wait, what? Here are the anonymous ProtonMail socmed gnomes, for example:

The correct response to the efail vulnerability is not to stop encrypting, but to use clients that are using secure implementations of PGP.

It is not correct to call Efail a new vulnerability in PGP and S/MIME. The root issue has been known since 2001. The real issue is that some clients that support PGP were not aware for 17 years and did not perform the appropriate mitigation.

The EFF warning is overblown and disproportionate, and likely issued without fully understanding the issue. It was irresponsible for the researchers to not correct that.

[This] is a prime example of irresponsible disclosure. There is no responsibility in hyping the story to EFF and mainstream media and getting an irresponsible recommendation published (disable PGP), ignoring the fact that many (Enigmail, etc) are already patched.

Oh. Um. Nicholas Weaver puts it really really really really succinctly: [You’re fired—Ed.]

The EFF's fear-mongering on PGP was really really really really bad.

Is there some way this story could be worse? Jan @jwildeboer Wildeboer obliges us:

Wow. What an epic fail.

Totally over the top “warnings”.
A paper that fails to give details (which version of Thunderbird with which version of enigmail?).
A planned big reveal that faltered, people now thinking email in general is insecure.
The EFF seemingly fighting a private vendetta against (Open)PGP.
A reminder that MIME multipart handling by Mail Clients is a stinking pile of ****.
A big fat warning that S/MIME is really badly implemented but no one really notices due to focus on GPG/PGP.
A professor declaring that email now is totally insecure.
Tech journalism blindly jumping on that quote.

What we need right now is a colorful metaphor. Here’s TrumpSlurp the Troll:

There is a reported vulnerability in your front door lock which requires a lot of effort to use.

The recommendation is that you should remove your front door lock and leave all the windows open.

But it’s not a simple as all that, according to Matthew @matthew_d_green Green:

It’s an extremely cool attack and kind of a masterpiece in exploiting bad crypto, combined with a whole lot of sloppiness on the part of mail client developers.

The real news here is probably about S/MIME, which is actually used in corporate e-mail settings. Attacking and modifying encrypted email stored on servers could actually happen, so this is a big deal. Plus … it’s (a) a dumb protocol, and (b) a simple protocol not filled with legacy cruft, and (c) it’s built into email clients.

But of course the attack also implicated the garbage-fire that is the PGP ecosystem. [But] the quality expectations … are low because it was invented in the Precambrian era. So it doesn’t do proper authentication.

So in summary, PGP clients are vulnerable because 17 years after a vulnerability was known, the mitigation was not made a default in GnuPG and defense was instead “left to PGP clients”, which also make a convenient scapegoat when it goes pear-shaped.

And Sarah Jamie @SarahJamieLewis Lewis gets real:

"Our software is secure if you use it correctly" means "our software is not secure." … To Summarize:

PGP is still a trashfire
Email is still a trashfire
Email clients are still a trashfire

We are continuing to fail the world. Don't panic, everything will still be as broke next week.

And let's be really honest if an adversary really wanted a decrypted copy of an email they would just spoof some headers and ask you to send it again in plaintext because pgp is ****, and you would believe them and do it.

I weep for this discipline.

Meanwhile, Filippo @FiloSottile Valsorda channels The Simpsons:

[0] days since retrofitting security on top of a complex existing system blew up.

And in fact, there’s actually nothing to see here, according to dragonfrog:

Don’t worry. Email encryption is so dreadfully unusable, nobody is placed at risk because nobody uses it.

The moral of the story? What other ancient software layers do you rely on? And to the security researchers: Enough with the hyperbole, already.

And Finally…

How to grill without a grill

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Carolyn Coles (cc:by)

 [ Partner resource: Take Security Journey's first two white belt modules for free ]

[ Free Report: The State of Application Security in the Enterprise ]