Over the weekend a European security researcher tweeted an ominous warning about email encryption:
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4
— Sebastian Schinzel (@seecurity) May 14, 2018
Part of security and counterintelligence is staying on top of developments and vulnerabilities that could expose you, your contacts, or your operations. EFF followed up right away with an article telling people to uninstall and stop using all PGP/GPG encryption — a move that was panned by a lot of people in the infosec community because EFF’s “OMG” advice came down to “turn your encryption off.”
Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.
The warning came before the paper explaining the vulnerability was released, and Twitter wasn’t convinced.
Because of the reasons you'll learn tomorrow.
— Sebastian Schinzel (@seecurity) May 14, 2018
It is a serious problem. That should not be a necessary fix / thought for non technical people.
It’s already widely mitigated, which was not made properly clear.
The answer never should have devolved into “disable encryption”.
— Lesley Carhart (@hacks4pancakes) May 14, 2018
The paper was released a bit early, and describes the vulnerability thusly:
In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.
It describes two types of attacks, and offers two client-side mitigation strategies:
- Disable/uninstall all PGP/GPG in your email client. For many, that means uninstalling Enigmail from your Thunderbird, for instance. According to the researchers, you need to decrypt your emails outside of your email client and remove your private keys from the program.
- Disable HTML rendering for incoming emails. (And don’t send HTML emails—only plain text.)
The other two mitigation ideas were for developers to both patch the individual packages such as Enigmail, and update the PGP and S/MIME standards.
It sounds pretty cut-and-dry, doesn’t it? Except there’s always more to the story. Robert Hansen, who runs the official GnuPGP FAQ, posted “Don’t Panic” on the boards:
Werner [Koch, developer of GnuPG] saw a preprint of this paper some time ago. I saw it recently. Patrick Brunschwig of Enigmail saw it. None of us are worried. Out of respect for the paper authors I will skip further comment until such time as the paper is published. It would’ve been nice if EFF had reached out to us for comment, rather than apparently only talking to the paper authors. We hope they’ll reach out next time.
Koch himself weighed in on the mailing lists.
The topic of that paper is that HTML is used as a back channel to create an oracle for modified encrypted mails. It is long known that HTML mails and in particular external links like are evil if the MUA [mail user agent, such as Thunderbird–AP] actually honors them (which many meanwhile seem to do again; see all these newsletters). Due to broken MIME parsers a bunch of MUAs seem to concatenate decrypted HTML mime parts which makes it easy to plant such HTML snippets.
There are two ways to mitigate this attack.
– Don’t use HTML mails. Or if you really need to read them use a
proper MIME parser and disallow any access to external links.
– Use authenticated encryption.
Koch also went digging in his emails and found an interesting exchange between himself and the authors of the paper in question, in which he pointed out a few caveats that changed the dire nature of the original research, and noted that he went a few rounds with the authors. The paper also claimed that Mailpile was vulnerable — but it isn’t, leading to some rather annoyed developers over there and decreasing the credibility of the paper itself.
Where does this leave you, the user? Hansen explains to another user who basically asked exactly that:
By default, GnuPG will scream bloody murder if a message lacks an MDC or if the MDC is invalid. At that point it’s up to your email client to pay attention to the warning and do the right thing. Enigmail 2.0 and later are fine, but I can’t speak for other systems.
Of course, if you’re crazy enough to disable the MDC check (“–no-mdc-warning”) then all bets are off, but really, you’ll get what you deserve. […] MDC is an attribute of the packet, not the cipher. By default, all ciphers in the GnuPG suite use MDC.
The user did some testing of his own, and found that Enigmail is vulnerable in this context; Hansen was not aware, and promised to bring in the Enigmail developer to take a look. However, Hansen writes that the entire vulnerability is predicated on the use of S/MIME encryption.
It’s worth noting, incidentally, the #Efail attack flat-out requires MIME. So inline PGP messages are not vulnerable, as there’s no MIME parsing pass which can be exploited. So you’re *still* safe, although this is still a bug that should be fixed. 😉
Not everyone is convinced, and the battle rages on as we speak. It’s not going to stop anytime soon, either.
- Check your Enigmail and ensure that inline GPG is enabled as opposed to S/MIME. (You can do this by going into the settings for your specific account, under OpenPGP Security, NOT in the Enigmail global settings).
- If you know how, consider using GPG outside the email client.
- Don’t use HTML emails; use plain text only. If you must receive them, then “use a proper MIME parser and disallow any access to external links,” as Koch advises.
- Stay on top of developments, and learn at least enough to intelligently follow discussions on the topic. The conversations are often held in the open, as various professionals work together to test scenarios and report back their findings.
- Consider your own OPSEC plan (if you don’t have one, check out our series on doing the necessary analysis) and make a decision about how this information will affect it.
You could, however, ignore everything above and pay attention to the biggest takeaway of all:
If it is online, it is not safe. Do not assume that because something is considered “safe” right now, that it is actually safe, or that it will be safe tomorrow, or that any future vulnerabilities won’t be able to collect backwards.
Stop using email to send secrets.
— Thomas H. Ptacek (@tqbf) May 14, 2018
UPDATE: GnuPG has released an official statement.
UPDATE 2: The first version of this article agreed with EFF’s decision to tell people to stop using PGP for now. I need to clarify that. If you are already doing what you’re supposed to be doing, then this whole thing won’t really affect you. You’re already following common sense and not doing stupid things on buggy email programs. If, however, you are using encrypted email with the belief that it somehow insulates you from the government or other attackers from reading the information you’re sending then you have a bigger problem than the reported bug. Also keep in mind that EFF deals with non-tech people; they’re trying to mitigate the damage among people who install Enigmail and think it’s a solid wall that will offer 100% protection out of the box. That’s not how it works. Bottom line (again): The best protection is to understand that nothing is safe and act accordingly when planning activism, resistance or working on politically charged activities.