Major #eFail Vulnerability Exposes PGP Encrypted Email (Forbes, screenshot)





Creative Commons Licence



Contributed date

December 3, 2019 - 1:57pm

Critical Commentary

2018/5/14: screenshot of Forbes article about EFAIL (Full PDF)

This article explains how the vulnerability was disclosed. Interestingly, it already discusses who should fixe the issue:

It appears the vulnerability (which some have dubbed eFail) resides in such email clients, rather than a fundamental problem with the PGP standard, according to Werner Koch, the man behind GNUPrivacyGuard (GnuPG), the free and open source PGP software suite. In a post, Koch said he believed the EFF's comments on the issue were "overblown" and that he hadn't been contacted about the vulnerability.

The author also quote spokesperson for ProtonMail:

A spokesperson for ProtonMail, a webmail service that uses PGP, confirmed its services were not affected. The spokesperson also eFail wasn't exactly new. "It has been known since 2001. The vulnerability exists in implementation errors in various PGP clients and not the protocol itself," the spokesperson added.
"What is newsworthy is that some clients that support PGP were not aware of this for 17 years and did not perform the appropriate mitigation."
"As the world's largest encrypted email service based on PGP, we are disappointed that some organizations and publications have contributed to a narrative that suggests PGP is broken or that people should stop using PGP. This is not a safe recommendation."