A postmortem on Efail
Robert J. Hansen
rjh at sixdemonbag.org
Mon May 21 14:51:17 CEST 2018
> That being the *incredibly* unhelpful and likely actively harmful
> recommendation to remove encryption and decryption functionality from
> vulnerable MUAs.
I blame the EFF for that more than I blame the Efail developers. I
expect the people who develop new attacks to overstate their importance:
it's not out of any intent to deceive, it's just that they're too close
to the problem to have a clear perspective on the user impact. The EFF,
But even then, I have some sympathy for their position. The EFF works
with many different activists in many different countries running many
different setups. They were in a difficult situation of needing to put
out a press release that had useful recommendations for everyone, left
no one out in the cold, while still not raising a panic.
Let me be clear: I think the EFF behaved irresponsibly. But I can be
sympathetic to their situation, too. It's not a one-or-the-other thing.
And I'm going to remain quiet on this further until I have time to see
the EFF's postmortem.
> Indeed, this particular release may still succeed in producing a body
> count. I am not yet aware of any confirmed fatalities stemming from
> people panicking and stopping using crypto because they listened to
> Efail and/or the EFF, but there is one particular community I'm
> watching for just that issue right now.
If I can help in any way, please let me know.
> We must not forget these people. Ever.
I entirely agree.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 228 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users