Freemors Blog

Musings of an East Coast Techie

What You Need to Know About efail

2018-06-15 by Freemor

I am writing this because there is a lot of hyperbole about efail

Are GPG/PGP and S/MIME broken?

No. efail is an attack on the mail client. Not on the cryptography. Although there is some mussing with the cryptographic elements That would be very apparent, signatures would fail, etc.

Are my Private Key Compromised, Does this lead to a compromise of the keys?

No. This tricks email reading programs into sending the clear text of the message once it is decrypted back to the attacker.

Is my email program affected?

Maybe. Not all are. There is an excellent chat on page 11 of The official report

Should I disable/stop using GPG or S/MIME?

That depends.

The real problem is HTML rendering in some email clients. Check the list Document mentioned above to see if yours is effected

Patches are coming on-line quickly so check that your E-mail client is up to date

If you are comfortable doing so turn off HTML rendering of E-mail. This will almost completely mitigate the issue. The researchers did not get a non-HTML rendered E-mail to be effected but they do suggest other more complicated things that MAY be able to do that.

Keep in mind that is a complicated Man-in-the-middle attack that requires the attacker to have access to your stored E-mails on the server or your computer or the ability to capture them in transit. This is not something generic hackers will be doing. It is something that Governments and places like the NSA will be interested in. If you are worried about them I'd strongly suggest making sure you are using a non-effected client and disabling HTML rendering.

But for the average person that isn't worried about nation states and spy agencies actively trying to get their stuff I'd say keep using GPG or S/MIME. Apply the patches as they become available. Turn Off HTML Rendering. or move to an unaffected client.

It's better to send encrypted and force people to work at decrypting it then just say fuck it and send everything in the clear and let them have it all with no effort.

The Bullet points

  • The attacker must have access to your E-mails either on the server or in transit
  • Not all email programs are effected
  • Patches are coming quickly
  • This is not a problem with the encryption. It a problem with the E-mail programs
  • Turning off HTML rendering almost completely neuters this attack (except for some theoretical attacks)
  • For the average person this is a low priority and easily mitigated attack.
  • Take the appropriate precautions like moving to a non-effected E-mail reader, patching, plus turning off HTML rendering and keep encrypting.