15 May 2018

“Efail” Turns Out to Be a Real Fail for Consumers

Mark Kuhr

Another security nightmare starts to unfold as a news article from Gizmodo today suggested that “if you use PGP or S/MIME for email encryption you should immediately disable it in your email client.” Why such a dire command? A vulnerability called “Efail”, discovered this morning by a group of researchers in Europe, which exposes encrypted emails in plain text. Gizmodo’s advice was basically just repeating the urging from the group of EFF researchers who originally found and disclosed the vulnerability early this morning: “Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.” This panic in the cyber security space is something we have now become all too used to.

Independent security researchers are advising people to stop using PGP, and the media is following suit. But this is a terrible idea. Even if a malicious actor could exploit this vulnerability (which would prove to be difficult), encryption is better than no encryption. This is like saying “your lock may not work, so leave your door wide open.”

The researchers reported that this is a bug with PGP, but it’s actually not a PGP issue. The vulnerability is actually an issue with the way clients view mail. The Efail vulnerability is not a cryptographic attack against the PGP encryption protocol as the EFF researchers originally reported; it’s merely a common client side content rendering vulnerability.  Savvy users of email clients would have already disabled scripts and other forms of active content when rendering and decrypting email.

Why Does it Matter?

  • The way that Efail was presented is a sham, which brings into question the fame that is so readily and easily given to researchers who “responsibly disclose” vulnerabilities for the media attention. Who is validating their findings and checking their facts? Are we to believe everything we read?

ProtonMail tweeted this today: “Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the story to @EFF and mainstream media and getting an irresponsible recommendation published (disable PGP), ignoring the fact that many (Enigmail, etc) are already patched.”

  • Beyond the recklessness of the research group, what about the media that covered the story? Journalists need to do some diligence before they report on these types of vulnerabilities and pass on advice that ultimately pushes users away from secure communications channels.
  • Despite the hype of this one, the Efail vulnerability is entirely preventable without patches and can be safely mitigated in client settings with most common PGP clients.

We all face enough legitimate cyber security issues without adding more noise here. We can’t go around encouraging consumers to turn off encryption in their email. That’s just asking for a devastating 0day. Be careful what you believe folks.