A postmortem on Efail

[Mark Rousell]

On 21/05/2018 13:34, Ben McGinnes wrote:

> I agree with most of the article and largely with the need to break
> compatibility to an ancient flawed design.  Particularly since we
> still have a means of accessing those ancient formats if we have to in
> the form of the GPG 1.4 branch.  The ancient archives are as safe as
> they've ever been (for whatever definition of "safe" is being implied
> by the user/archivist).

Indeed, this satisfies my archive retrieval concerns.

> There is, however, one aspect of this issue that you touched on
> lightly, but didn't really delve into and which is at the centre of
> my, mostly unvoiced (until this email), criticism of the Efail team.
> That being the *incredibly* unhelpful and likely actively harmful
> recommendation to remove encryption and decryption functionality from
> vulnerable MUAs.
>
> To say, “we have this edge case scenario that really needs an active
> targeted attack on a case by case basis, so everyone should just stop
> integrating encryption” is the kind of thing that can get people
> killed.

This has been commented on by a few people on this list, myself
included: [1]

To my mind, it reeks of slanted propaganda for Signal, and there does
seem to be a lot of it around at the moment. Signal has security
benefits but it's not (yet?) a replacement for encrypted email, whereas
a number of commentators seem to treat it as if all email, encrypted or
not, should be deprecated in favour of Signal. This is not sensible or
good advice without considering individual use cases (regardless of Efail).

> I *do*, however, care that their
> recommendations may have lasting and potential final consequences for
> OpenPGP users living with and attempting to mitigate real threats to
> their lives and/or liberty.
>
> Playing with that sort of thing with the recklessness with which the
> Efail team have done is, in my not so humble opinion, an absolute
> disgrace.
>
> You pointed out that the vast majority of OpenPGP use is no longer
> email or other communications encryption.  This is both true and a
> valid point of discussion.  Nevertheless, there are still a
> considerable number of people who do use it that way and a number of
> them have to deal with threat assessments with considerably higher
> levels of personal risk than security researchers in academia or
> cryptographic developers.
>
> We must not forget these people.  Ever.  Even if we never hear from
> them.  Their cases are also not a matter of being apathetic; it's that
> their priorities are surviving the world they're in, so they need to
> rely on the tools we provide (and I get the community apathy issue is
> actually a more general thing, so this isn' having a go at that part).
>
> The Efail researchers did forget them and their conduct demonstrates
> this.  While they may have made some useful technical contributions
> regarding S/MIME and highlighting certain poor implementations in
> MUAs, that's no justification for reckless disregard of the lives of
> end users.

Well said.

> So in my opinion it's not the merits or lack thereof in the
> demonstrated attacks they released that have the gravest consequence
> here, it's that the number one recommended mitigation technique is to
> remove cryptographic functions from MUAs.

Without wanting to sound like a conspiracy geek, removing encryption
from email would, of course, benefit Signal and its takeup.




[1] https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060450.html

-- 
Mark Rousell

PGP public key: http://www.signal100.com/markr/pgp
Key ID: C9C5C162
 
 
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180522/cf7ab8ad/attachment.html>