A postmortem on Efail

Mark Rousell markr at signal100.com
Sun May 20 21:45:48 CEST 2018

On 20/05/2018 20:16, Damien Goutte-Gattat via Gnupg-users wrote:
> On 05/20/2018 02:51 PM, Dirk Gottschalk via Gnupg-users wrote:
>> It would be possible to implement something like --legacy to
>> re-enable the old functionality.
> For information, for the problem at hand, two things have been done in
> that direction:
> In GnuPG itself: GnuPG will now error out when attempting to decrypt
> *any* message that is not integrity-protected, *unless* the
> --ignore-mdc-error flag has been set. This has only been done in the
> master branch of GnuPG (to be released as GnuPG 2.3 at some point),
> *not* in the current stable 2.2 branch.
> In GpgME: GpgME will return a failure when attempting to decrypt *any*
> message that is not integrity-protected, inconditionnally and even if
> GnuPG itself only emits a warning.
> What this all means is that all clients using GpgME will lose the
> ability to decrypt old, unprotected message upon the next GpgME
> release (i.e., those clients will be completely immune to Efail even
> if they currently ignore the no-MDC warning). Users will still be able
> to decrypt such unprotected messages by calling gpg directly (with the
> --ignore-mdc-error flag, if needed).
> Clients that spawn gpg themselves without using GpgME will still be
> able to decrypt unprotected messages (and therefore, be potentially
> vulnerable to Efail if they don't pay attention to GnuPG warnings)
> until GnuPG 2.3 is released.

This seems reasonable to me. It means that legacy decryption is still
available in current and future code even if it requires users to take
some kind of action.

> And more generally on the backward compatibility problem: to decrypt
> all kind of "legacy" messages there will always be the option of using
> GnuPG 1.4.x, which is still maintained especially for compatibility
> with 1990-era PGP (it notably retains support for things like PGP 2.6
> keys or the MD5 hash algorithm).

I presume that one day the 1.x.y code will reach end of life. If and
when that happens, I strongly suspect that there will still be users who
will need to decrypt legacy-encrypted data and I think it is important
that they can still do this with a maintained (2.x.y) code base. (And I
realise that this is easy for me to say since I'm not contributing to
maintaining the code.)

Mark Rousell

PGP public key: http://www.signal100.com/markr/pgp
Key ID: C9C5C162

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180520/b286e886/attachment.html>

More information about the Gnupg-users mailing list