💾 Archived View for idiomdrottning.org › efail captured on 2023-09-28 at 15:46:27. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

What about efail?

A blogpost from 2018 writes about the EFFail:

Was the Efail disclosure horribly screwed up? – A Few Thoughts on Cryptographic Engineering

Or, rather, in defense of the EFF (somehow).

Some folks, including vendors, have misrepresented the EFF post as essentially pushing people to “permanently” uninstall PGP

Yes. And that take was correct since that is what has happened since.

presumably these users […] will immediately fall back to sending incriminating information via plaintext emails

That is also what has happened. That is also why we still see people now six years later going “email shouldn’t even be encrypted, I have OMEMO for that”. Which, OK, it’s good to keep the more secret stuff in a more secret place, but it’s not good to blatantly abandon email encryption entirely either.

The big (and largely under-reported) story of EFail is the way it affects S/MIME. […] TL;DR it affects them very badly.
Efail also happens to affect a smaller, but non-trivial number of OpenPGP-compatible clients.

Yep. S/MIME was a lot more vulnerable to efail but hasn’t seen the same PR fallout.

It’s true that Thunderbird (Enigmail) and the GnuPG API itself was doing some pretty dang sloppy things. Decrypting parts and concatenating them before re-splitting into mime-parts? Whuh... It’s super weird that so many S/MIME clients and a couple of GPG clients where doing that!

GPG is supposed to protect you from your own email provider (and before TLS existed, from the rest of the world too) and here was a way your email provider could’ve attacked you. It’s good that it was reported and fixed.

Why it’s OK that PGP sucks