Encrypted Email Has a Major, Divisive Flaw (Wired, screenshot)





Creative Commons Licence



Contributed date

December 3, 2019 - 2:08pm

Critical Commentary

2018/5/14 - screenshot of the Wired article about EFAIL (Full PDF)

This article explains what the vulnerabilty is, how it works, and who disclosed it. It relayed the EFF's advice to stop sending and especially reading PGP-encrypted email and commented it:

This advice has seemed overly reactionary to some cryptographers, though, who argue that some people can't simply switch to other secure platforms and that encrypted email is still better than nothing. The bigger issue, they argue, is the lack of unity in securing email in the first place and dealing with problems as they arise.

The author also quoted Kenn White, from the Open Crypto Audit Project:

"The core architecture of PGP encryption is very dated, and in order to make current email apps able to still receive encrypted mail sent from older programs or read messages using older-style encryption, many software packages tolerate insecure settings," White says. "When a message is unable to be properly decrypted, instead of displaying a corruption error message—a 'hard fail' as it's known—the mail software will display the message anyway. Combined with other default conveniences like displaying images or loading links sent by the sender by default, the game is up."