A postmortem on Efail

[Ben McGinnes]

On Sun, May 20, 2018 at 02:26:47AM -0400, Robert J. Hansen wrote:
> Writing just for myself -- not for GnuPG and not for Enigmail and
> definitely not for my employer -- I put together a postmortem on Efail.
> You may find it worth reading.  You may also not.  Your mileage will
> probably vary.  :)
> 
> https://medium.com/@cipherpunk/efail-a-postmortem-4bef2cea4c08

Very nice article and it will be a useful one to forward to a number
of people.

I also liked ProtonMail's more technical one which addressed the
specifics of their own setup and demonstrated that the allegations
levelled their way were not well founded.  On the other hand, they use
OpenPGP.js very differently to most, if not all, of the other projects
which have since adopted it and are acutely aware of the inherent
weaknesses within JavaScript itself, so they don't drive their entire
systems with it.

I agree with most of the article and largely with the need to break
compatibility to an ancient flawed design.  Particularly since we
still have a means of accessing those ancient formats if we have to in
the form of the GPG 1.4 branch.  The ancient archives are as safe as
they've ever been (for whatever definition of "safe" is being implied
by the user/archivist).

There is, however, one aspect of this issue that you touched on
lightly, but didn't really delve into and which is at the centre of
my, mostly unvoiced (until this email), criticism of the Efail team.
That being the *incredibly* unhelpful and likely actively harmful
recommendation to remove encryption and decryption functionality from
vulnerable MUAs.

To say, “we have this edge case scenario that really needs an active
targeted attack on a case by case basis, so everyone should just stop
integrating encryption” is the kind of thing that can get people
killed.

Indeed, this particular release may still succeed in producing a body
count.  I am not yet aware of any confirmed fatalities stemming from
people panicking and stopping using crypto because they listened to
Efail and/or the EFF, but there is one particular community I'm
watching for just that issue right now.

By comparison to that I don't really care so much that Efail dropped
the ball with disclosure to GnuPG or any of the other projects.  It's
a bit annoying, but we can all cope.  I *do*, however, care that their
recommendations may have lasting and potential final consequences for
OpenPGP users living with and attempting to mitigate real threats to
their lives and/or liberty.

Playing with that sort of thing with the recklessness with which the
Efail team have done is, in my not so humble opinion, an absolute
disgrace.

You pointed out that the vast majority of OpenPGP use is no longer
email or other communications encryption.  This is both true and a
valid point of discussion.  Nevertheless, there are still a
considerable number of people who do use it that way and a number of
them have to deal with threat assessments with considerably higher
levels of personal risk than security researchers in academia or
cryptographic developers.

We must not forget these people.  Ever.  Even if we never hear from
them.  Their cases are also not a matter of being apathetic; it's that
their priorities are surviving the world they're in, so they need to
rely on the tools we provide (and I get the community apathy issue is
actually a more general thing, so this isn' having a go at that part).

The Efail researchers did forget them and their conduct demonstrates
this.  While they may have made some useful technical contributions
regarding S/MIME and highlighting certain poor implementations in
MUAs, that's no justification for reckless disregard of the lives of
end users.

So in my opinion it's not the merits or lack thereof in the
demonstrated attacks they released that have the gravest consequence
here, it's that the number one recommended mitigation technique is to
remove cryptographic functions from MUAs.  Even though they still said
to basically perform those functions manually and independently, which
does imply not opposing using cryptography itself.  It's still a
recommendation which is sure to create far more dangerous outcomes for
end users.

It's a bit like that scene in Erik the Viking where a woman is being
raped and Erik kills the rapist, but his sword goes right through the
rapist and kills the woman too.  He did stop the rape, but that
doesn't make his action a successful one.

I think it's fair to say that most, if not all, of those of us working
with this tech are reasonably intelligent.  So surely we can operate
at a level with a bit more forethought than a viking, fictional or
otherwise.


Regards,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180521/00b80b7b/attachment.sig>