A postmortem on Efail

Robert J. Hansen rjh at sixdemonbag.org
Mon May 21 14:51:17 CEST 2018


> That being the *incredibly* unhelpful and likely actively harmful
> recommendation to remove encryption and decryption functionality from
> vulnerable MUAs.

I blame the EFF for that more than I blame the Efail developers.  I
expect the people who develop new attacks to overstate their importance:
it's not out of any intent to deceive, it's just that they're too close
to the problem to have a clear perspective on the user impact.  The EFF,
though...

But even then, I have some sympathy for their position.  The EFF works
with many different activists in many different countries running many
different setups.  They were in a difficult situation of needing to put
out a press release that had useful recommendations for everyone, left
no one out in the cold, while still not raising a panic.

Let me be clear: I think the EFF behaved irresponsibly.  But I can be
sympathetic to their situation, too.  It's not a one-or-the-other thing.
 And I'm going to remain quiet on this further until I have time to see
the EFF's postmortem.

> Indeed, this particular release may still succeed in producing a body
> count.  I am not yet aware of any confirmed fatalities stemming from
> people panicking and stopping using crypto because they listened to
> Efail and/or the EFF, but there is one particular community I'm
> watching for just that issue right now.

If I can help in any way, please let me know.

> We must not forget these people.  Ever.

I entirely agree.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180521/0a891b36/attachment.sig>


More information about the Gnupg-users mailing list