Misleading Advice Following the Efail PGP Vulnerability: Encryption is Better than no Encryption

Share Article

Synack CTO and Co-Founder Mark Kuhr analyzes the reported PGP vulnerability "Efail" and the guidance given to consumers from the research group who discovered the vulnerability.

Independent security researchers are advising people to stop using PGP, and the media is following suit. But this is a terrible idea. Even if a malicious actor could exploit this vulnerability (which would prove to be difficult), encryption is better than no encryption.

Another security nightmare starts to unfold as a news article from Gizmodo on Monday suggested that “if you use PGP or S/MIME for email encryption you should immediately disable it in your email client.” Why such a dire command? A vulnerability called “Efail”, discovered Monday morning by a group of researchers in Europe, which exposes encrypted emails in plain text. Gizmodo’s advice was basically just repeating the urging from the group of EFF researchers who originally found and disclosed the vulnerability: “Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.” This panic in the cyber security space is something we have now become all too used to.

Independent security researchers are advising people to stop using PGP, and the media is following suit. But this is a terrible idea. Even if a malicious actor could exploit this vulnerability (which would prove to be difficult), encryption is better than no encryption. This is like saying “your lock may not work, so leave your door wide open.”

The researchers reported that this is a bug with PGP, but it’s actually not a PGP issue. The vulnerability is actually an issue with the way clients view mail. The Efail vulnerability is not a cryptographic attack against the PGP encryption protocol as the EFF researchers originally reported; it’s merely a common client side content rendering vulnerability. Savvy users of email clients would have already disabled scripts and other forms of active content when rendering and decrypting email.

Why Does it Matter?

-The way that Efail was presented is misleading, which brings into question the fame that is so readily and easily given to researchers who “responsibly disclose” vulnerabilities for the media attention. Who is validating their findings and checking their facts? Are we to believe everything we read?
ProtonMail tweeted this in response: “Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the story to @EFF and mainstream media and getting an irresponsible recommendation published (disable PGP), ignoring the fact that many (Enigmail, etc) are already patched.”

-Beyond the recklessness of the research group, what about the media that covered the story? Journalists need to do some diligence before they report on these types of vulnerabilities and pass on advice that ultimately pushes users away from secure communications channels.

-Despite the hype of this one, the Efail vulnerability is entirely preventable without patches and can be safely mitigated in client settings with most common PGP clients.

We all face enough legitimate cyber security issues without adding more noise here. We can’t go around encouraging consumers to turn off encryption in their email. That’s just asking for a devastating 0day. Be careful what you believe.

About Synack (https://www.synack.com/)

Synack, the leader in crowdsourced security testing, provides real security to the modern enterprise. We leverage the world's most trusted ethical hackers and an industry-leading platform to find critical security issues before criminals can exploit them. Companies no longer have to choose between working with the best security talent and a lack of time, resources, or trust. Headquartered in Silicon Valley with regional offices around the world, Synack has protected over 100 global organizations by reducing companies’ security risk and increasing their resistance to cyber attack.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Ellie McCardwell
Synack
+1 (765) 620-8547
Email >
@synack
Follow >
Visit website