I don't even understand why efail is getting so much publicity. The attack requires privileges access to your computer or your mail server in order to modify your existing messages. Or the ability to intercept messages in flight. That is a huge barrier, and if they had that access, all your plain text email is compromised as well.
I don't understand why people are uninstalling gnupg because of this "attack". I am extremely upset at the email keybase sent me, basically telling me that to be secure I should unregistered my PGP key; complete with instructions on how to do so. Accourding to them, I should be only using keybase's home grown encryption tools.
This whole exploit just seems like a marketing attack.
if they had that access, all your plain text email is compromised as well.
Isn't that why we're using PGP in the first place? If plain text email can be assumed to not be compromised, why encrypt at all?
Compromising mail using this vulnerability requires manipulating it while it is being sent which is more difficult than just tapping the connection.
Fortunately, it's not true; the situation is actually much better than the comment suggests. As the Protonmail rundown points out, the better PGP clients should be unaffected, and secure even with in-transit interception.
But "another recipient leaked the data" isn't actually the same security breach as "my data was observed". If the message was sent twice to different people, no one even has reason to believe I was sent the data. If the message was sent with multiple recipients, GPG encrypts it symmetrically, then provides an encrypted copy of that key to each user - which means there's no way to check that I actually received a valid copy of the message.
It's a good point, though, that if you're planning the Arab Spring by group email or something, you should currently treat messages as at higher risk even if you use Protonmail.
Not really. PGP provides both signing and encryption. Encrypted unsigned HTML messages have the same level of protection as plaintext, but that adds two very strong qualifiers. Encrypted unsigned messages already make little sense and should be a red flag.
Confidentiality is a separate concern from authenticity of the source. There are obvious cases where the authenticity of the source is irrelevant, e.g. if a message contains anonymous feedback or a tip.
True, if your computer is hacked, you are fd (as always may I add).
But, the point of PGP and S/MIME is to provide end-to-end encryption, i. e. from the sender to the recipient. You don't trust the MTAs and MDA in between, their only role is to transmit the email.
So this flaw is kind of critical. However, it's far from being the end of the world, this flaw is somewhat visible, if it was exploited massively in the wild, it would have been known by now.
As a side note, S/MIME or PGP email is quite horrible as a standard, first the title is not encrypted by default, and being able to mix encrypted and not encrypted data in the body is really weird.
I don't understand how something like that could have been considered good. There are probably 1 or 2 gotchas, but having an all or nothing encryption seems preferable, the whole message apart from a few headers used for delivery (sender, recipient, DKIM, etc) should be completely encrypted or not. Also, if remote content was forbidden for encrypted messages, this would be a good thing.
i mean, i do like protonmail and their product, but you can't act like this post isn't designed to protect their own interests. the facts happen to be on their side here.
Because many people have a defeatist, preconceived notion that the government can monitor anything and everything you do, no matter what you do. A flaw in PGP is a key piece of evidence in support of their theory that allows them to say, "See? All those tinfoil hats spent all that time on a cumbersome solution that was defeated anyway."
So you're saying that PGP is useless?
Yeah that's exactly what PGP is supposed to protect against.
disabling the plugin until this is fixed would prevent an attack. Depending on your risk profile, this would be a reasonable mitigation: Don't receive encrypted messages for a while, but keep old conversations safe.
That's a pretty common claim and has been for a long time. It's not just verification of identity, but verification of integrity that the encryption is supposed to enforce. Instead, it throws a warning for one case and will not decrypt for another. The binary client is broken, as a security tool (insofar as it fails to provide the security it claims). If the integrity of the message is compromised, why show a version of the decrypted message at all? There's no guarantee that's correct and has led to this.