Efail or OpenPGP is safer than S/MIME

[Andrew Gallagher]

On 14/05/18 13:42, Robert J. Hansen wrote:
>> If I read it correctly, it also has another attack, no longer based on
>> user agents concatenating HTML mime parts, but also based on CFB
>> gadgets. Which, here, looks like a flaw in the OpenPGP specification
>> indeed (and thus GnuPG's implementation of it), and not in MUAs?
> 
> MDCs stop it dead.  If a message has no MDC or an invalid MDC, GnuPG
> _will_ warn you about it.  Now, whether your email client does the right
> thing upon being warned, that's between you and your email client...

This all exposes one of the difficulties with trying to manage security
software in a decentralised ecosystem. We end up in arguments over whose
responsibility it is when the joints come apart.

I would humbly suggest that we stop worrying about which side of the
GPG/MUA fence the ball is on, and fix it on *both* sides. That means:

1. change the default behaviour of GPG so that any integrity failure is
fatal by default, even for old ciphersuites (we could have a flag to
override for those that really need it). For belt and braces, disable
the obsolete ciphersuites by default (again, we can provide an
override). We have assumed that so long as you don't *generate* poor
crypto you're safe. That's just not true.

2. AND the MUAs need to make sure they fail hard on integrity warnings,
because old versions of GPG may hang around for a while. Also ensure
that links aren't followed by default, that the capabilities of
encrypted HTML mail are constrained, etc.

The PGP ecosystem will survive this, because the tech is in place. The
enforcement has just erred a little too far on the side of
compatibility. It's all fixable.

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180514/5f455efb/attachment.sig>