[David Strom's Web Informant] Understanding email encryption

David Strom david at strom.com
Wed May 16 11:22:01 EDT 2018


Web Informant, May 16, 2018: Understanding email encryption

Earlier this week, we had a major storm with the release of a new report
about email encryption issues.Called Efail, it starts with this research
paper and website <https://efail.de/>. What I want to talk about today is
the following:

First, the *vulnerabilities described in the Efail documents were well
known*, with some of them been around for more than a decade. Basically, if
you use HTML email to read your email – which if you are concerned about
privacy you shouldn’t be doing in the first place – certain email clients
combined with plug-ins for PGP or S/MIME will expose encrypted data to a
hacker,* if* the hacker has access to your email stream.

*Second, notice the if in the last sentence.* That is a very big condition.
Sure, hackers could target your network or email flow, but chances are
unlikely.

Third, *the amount of bad reporting was immense*, with most reporters
missing the fact that there was nothing wrong with the PGP or S/MIME
protocols themselves, only poor implementations. (The Efail authors do a
solid job of reporting which clients are at issue.) There are numerous
encrypted email solutions that aren't affected by Efail.

Part of my problem with the reporting is the way that Efail was disclosed,
with little or no advance notice to security analysts and other affected
parties. This didn't help matters.

One of the more alarmist posts was from the EFF, which weighed in with some
very confusing
<https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now>
suggestions.
That is both unusual (since they are level-headed most of the time on
technical issues) and unfortunate (because they are suggesting that folks
stop using encryption). That isn't a good idea, especially if you are one
of the few that actually use PGP in your daily life. (Lesley Carhart's
tweet was spot-on
<https://twitter.com/hacks4pancakes/status/996041844311117824?wpisrc=nl_cybersecurity202&wpmm=1>
.)

*There were some standout reports that I will recommend*. First, if you are
new to email encryption, the best general source that I have found is Andy
Yen's TED talk from several years ago
<https://www.ted.com/talks/andy_yen_think_your_email_s_private_think_again#t-713895>.
He explains how encryption works and what to look for and why you need it.
Yen happens to work for Protonmail, which is certainly a good starting
place to use encrytion. The best overall report is from Steve Ragan at
CSOonline
<https://www.csoonline.com/article/3272067/security/researchers-warn-pgp-and-smime-users-of-serious-vulnerabilities.html>,
who documents the disclosures and what you need to do to update your email
clients in this post. Finally, if you are ultra-paranoid, you should turn
off HTML rendering in your email client.

Comments always welcome here: http://blog.strom.com/wp/?p=6525
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.webinformant.tv/pipermail/webinformant_list.webinformant.tv/attachments/20180516/bb5f5854/attachment.html>


More information about the WebInformant mailing list