On Sun, May 20, 2018 at 02:26:47AM -0400, Robert J. Hansen wrote: > Writing just for myself -- not for GnuPG and not for Enigmail and > definitely not for my employer -- I put together a postmortem on Efail. > You may find it worth reading. You may also not. Your mileage will > probably vary. :) > > https://medium.com/@cipherpunk/efail-a-postmortem-4bef2cea4c08
Very nice article and it will be a useful one to forward to a number of people. I also liked ProtonMail's more technical one which addressed the specifics of their own setup and demonstrated that the allegations levelled their way were not well founded. On the other hand, they use OpenPGP.js very differently to most, if not all, of the other projects which have since adopted it and are acutely aware of the inherent weaknesses within JavaScript itself, so they don't drive their entire systems with it. I agree with most of the article and largely with the need to break compatibility to an ancient flawed design. Particularly since we still have a means of accessing those ancient formats if we have to in the form of the GPG 1.4 branch. The ancient archives are as safe as they've ever been (for whatever definition of "safe" is being implied by the user/archivist). There is, however, one aspect of this issue that you touched on lightly, but didn't really delve into and which is at the centre of my, mostly unvoiced (until this email), criticism of the Efail team. That being the *incredibly* unhelpful and likely actively harmful recommendation to remove encryption and decryption functionality from vulnerable MUAs. To say, “we have this edge case scenario that really needs an active targeted attack on a case by case basis, so everyone should just stop integrating encryption” is the kind of thing that can get people killed. Indeed, this particular release may still succeed in producing a body count. I am not yet aware of any confirmed fatalities stemming from people panicking and stopping using crypto because they listened to Efail and/or the EFF, but there is one particular community I'm watching for just that issue right now. By comparison to that I don't really care so much that Efail dropped the ball with disclosure to GnuPG or any of the other projects. It's a bit annoying, but we can all cope. I *do*, however, care that their recommendations may have lasting and potential final consequences for OpenPGP users living with and attempting to mitigate real threats to their lives and/or liberty. Playing with that sort of thing with the recklessness with which the Efail team have done is, in my not so humble opinion, an absolute disgrace. You pointed out that the vast majority of OpenPGP use is no longer email or other communications encryption. This is both true and a valid point of discussion. Nevertheless, there are still a considerable number of people who do use it that way and a number of them have to deal with threat assessments with considerably higher levels of personal risk than security researchers in academia or cryptographic developers. We must not forget these people. Ever. Even if we never hear from them. Their cases are also not a matter of being apathetic; it's that their priorities are surviving the world they're in, so they need to rely on the tools we provide (and I get the community apathy issue is actually a more general thing, so this isn' having a go at that part). The Efail researchers did forget them and their conduct demonstrates this. While they may have made some useful technical contributions regarding S/MIME and highlighting certain poor implementations in MUAs, that's no justification for reckless disregard of the lives of end users. So in my opinion it's not the merits or lack thereof in the demonstrated attacks they released that have the gravest consequence here, it's that the number one recommended mitigation technique is to remove cryptographic functions from MUAs. Even though they still said to basically perform those functions manually and independently, which does imply not opposing using cryptography itself. It's still a recommendation which is sure to create far more dangerous outcomes for end users. It's a bit like that scene in Erik the Viking where a woman is being raped and Erik kills the rapist, but his sword goes right through the rapist and kills the woman too. He did stop the rape, but that doesn't make his action a successful one. I think it's fair to say that most, if not all, of those of us working with this tech are reasonably intelligent. So surely we can operate at a level with a bit more forethought than a viking, fictional or otherwise. Regards, Ben
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users