Efail or OpenPGP is safer than S/MIME

Robert J. Hansen rjh at sixdemonbag.org
Mon May 14 10:27:35 CEST 2018

The following is what I wrote to a journalist covering the story:


We've known about problems in OpenPGP's feedback mode for at least
thirteen years.  (See https://eprint.iacr.org/2005/033.pdf for an
example.)  The OpenPGP working group resolved these problems by adopting
modification detection codes (MDCs).  GnuPG properly implements MDCs and
gives clear and unambiguous warnings if a message lacks an MDC.  The
paper authors acknowledge that if an email client handles these warnings
sensibly, their attack fails.

In other words, their attack is completely dependent on email clients
handling our warnings in a broken way.  Great: that they've found bugs
in major email clients is a good thing, but where's the flaw in the
OpenPGP protocol or GnuPG's implementation of it?  And does this really
deserve the hype-tastic title "Breaking S/MIME and OpenPGP Email
Encryption" when it really doesn't do that?

In grad school my adviser told me to follow Napoleon's Rule in paper
titles.  "If you tell the world you're going to conquer Russia, you'd
better conquer Russia."  This paper doesn't deliver on what its title

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180514/f5924098/attachment.sig>

More information about the Gnupg-users mailing list