Earlier this week, we had a major storm with the release of a new report about email encryption issues.Called Efail, it starts with this research paper and website. What I want to talk about today is the following:
First, the vulnerabilities described in the Efail documents were well known, with some of them been around for more than a decade. Basically, if you use HTML email to read your email – which if you are concerned about privacy you shouldn’t be doing in the first place – certain email clients combined with plug-ins for PGP or S/MIME will expose encrypted data to a hacker, if the hacker has access to your email stream.
Second, notice the if in the last sentence. That is a very big condition. Sure, hackers could target your network or email flow, but chances are unlikely.
Third, the amount of bad reporting was immense, with most reporters missing the fact that there was nothing wrong with the PGP or S/MIME protocols themselves, only poor implementations. (The Efail authors do a solid job of reporting which clients are at issue.) There are numerous encrypted email solutions that aren’t affected by Efail.
Part of my problem with the reporting is the way that Efail was disclosed, with little or no advance notice to security analysts and other affected parties. This didn’t help matters.
One of the more alarmist posts was from the EFF, which weighed in with some very confusing suggestions. That is both unusual (since they are level-headed most of the time on technical issues) and unfortunate (because they are suggesting that folks stop using encryption). That isn’t a good idea, especially if you are one of the few that actually use PGP in your daily life. (Lesley Carhart’s tweet was spot-on.)
There were some standout reports that I will recommend. First, if you are new to email encryption, the best general source that I have found is Andy Yen’s TED talk from several years ago. He explains how encryption works and what to look for and why you need it. Yen happens to work for Protonmail, which is certainly a good starting place to use encrytion. The best overall report is from Steve Ragan at CSOonline, who documents the disclosures and what you need to do to update your email clients in this post. Finally, if you are ultra-paranoid, you should turn off HTML rendering in your email client.