The trajectory of a vulnerability named EFAIL


EFAIL is the name given to a series of vulnerabilities that affect two end-to-end email encryption protocols: OpenPGP and S/MIME . We chose this example not because it is representative of a usual vulnerability disclosure – it is not. We chose it rather because the controversies around it revealed various areas of frictions that highlighted some general disagreements regarding the management of vulnerability disclosure. We unfold the EFAIL disclosure process through four ethnographic descriptions.

1. The messed up public disclosure

For a few days in May 2018, most the attention of the IT security crowd seemed to be devoted to an enigmatic announcement released jointly by a team of researchers led by Professor Sebastian Schinzel and the Electronic Frontier Foundation (EFF): on May 13, 2018, at 11pm (in Germany), Schinzel tweeted that his team found a series of critical vulnerabilities in email encryption protocols against which there were no reliable fixes available1. The tweet announced that the full details will be made public two days later. The tweet also provided a link to an EFF’s blog post with some advice to mitigate this until it would be definitely fixed. Following this announcement, many people started to debate about the issue itself on Twitter, in forums and mailing lists, even though the full details were not yet available. The day after the announcement and prior to the planned release date, details about the vulnerability leaked. What followed was a chaotic situation that forced the EFAIL researchers to expedite the official disclosure of the full paper that had already be spread out. Several articles in specialist and generalist newspapers, websites and blogs were published immediately after, hyping even more the controversial issues about the nature of the vulnerabilities and how it has been disclosed.

A unified timeline of Efail PGP disclosure events

2018/05/16: Timeline of the Efail vulnerabilities disclosures to PGP vendors and usersRead more

Press coverage of the EFAIL disclosure

Press coverage of the EFAIL disclosure
View essay

Verschlüsselte E-Mails sind nicht sicher (Süddeutsche Zeitung, screenshot)

2018/5/14: screenshot of a Süddeutsche Zeitung article about EFAIL (Full PDF)

This article in German gives an overview of the EFAIL vulnerabilities for a non specialist public.

Es steht also fest: Was die Forscher herausgefunden haben, ist so verheerend, dass das Vertrauen in verschlüsselte Mails zumindest auf absehbare Zeit verloren sein dürfte.

The article also explains how public key cryptography works and why it could be important to encrypt emails:

Die NSA fing eine E-Mail ab, aber konnte die Verschlüsselung nicht brechen. Der wohl mächtigste Geheimdienst der Welt scheiterte jahrelang an PGP. Snowden war deshalb überzeugt: "Richtig eingestellte kryptografische Verfahren gehören zu den wenigen Dingen, auf die man sich verlassen kann." Wenn die Forscher ihre Ergebnisse an diesem Freitag auf einer Fachkonferenz in Bochum präsentieren werden, dann dürfte dieser Satz überholt sein.

Critical PGP and S/MIME bugs can reveal encrypted emails—uninstall now (ARS TECHNICA, screenshot)

2018/5/14: screenshot of ARS TECHNICA article about EFAIL (Full PDF)

Given the track record of the researchers and the confirmation from EFF, it's worth heeding the advice to disable PGP and S/MIME in email clients while waiting for more details to be released Monday night. Ars will publish many more details when they are publicly available.

Major #eFail Vulnerability Exposes PGP Encrypted Email (Forbes, screenshot)

2018/5/14: screenshot of Forbes article about EFAIL (Full PDF)

This article explains how the vulnerability was disclosed. Interestingly, it already discusses who should fixe the issue:

It appears the vulnerability (which some have dubbed eFail) resides in such email clients, rather than a fundamental problem with the PGP standard, according to Werner Koch, the man behind GNUPrivacyGuard (GnuPG), the free and open source PGP software suite. In a post, Koch said he believed the EFF's comments on the issue were "overblown" and that he hadn't been contacted about the vulnerability.

The author also quote spokesperson for ProtonMail:

A spokesperson for ProtonMail, a webmail service that uses PGP, confirmed its services were not affected. The spokesperson also eFail wasn't exactly new. "It has been known since 2001. The vulnerability exists in implementation errors in various PGP clients and not the protocol itself," the spokesperson added.
"What is newsworthy is that some clients that support PGP were not aware of this for 17 years and did not perform the appropriate mitigation."
"As the world's largest encrypted email service based on PGP, we are disappointed that some organizations and publications have contributed to a narrative that suggests PGP is broken or that people should stop using PGP. This is not a safe recommendation."

Encrypted Email Has a Major, Divisive Flaw (Wired, screenshot)

2018/5/14 - screenshot of the Wired article about EFAIL (Full PDF)

This article explains what the vulnerabilty is, how it works, and who disclosed it. It relayed the EFF's advice to stop sending and especially reading PGP-encrypted email and commented it:

This advice has seemed overly reactionary to some cryptographers, though, who argue that some people can't simply switch to other secure platforms and that encrypted email is still better than nothing. The bigger issue, they argue, is the lack of unity in securing email in the first place and dealing with problems as they arise.

The author also quoted Kenn White, from the Open Crypto Audit Project:

"The core architecture of PGP encryption is very dated, and in order to make current email apps able to still receive encrypted mail sent from older programs or read messages using older-style encryption, many software packages tolerate insecure settings," White says. "When a message is unable to be properly decrypted, instead of displaying a corruption error message—a 'hard fail' as it's known—the mail software will display the message anyway. Combined with other default conveniences like displaying images or loading links sent by the sender by default, the game is up."

OpenPGP und S/MIME: E-Mail-Verschlüsselung akut angreifbar (Heise Online, screenshot)

2018/5/14 screenshot of the Heise article about EFAIL (Full PDF)

This is a short article that announces the flaw and redirects interested readers to an up-coming article.

Die Probleme und Angriffe sind real; heise Security liegen detaillierte, technische Informationen zur Natur der Schwachstellen vor und konnte zumindest einen Angriff auf eine verschlüsselte PGP-Mail unter Laborbedingungen nachvollziehen. Mehr Informationen dazu wird heise Security spätestens zum Ablauf der Sperrfrist morgen Vormittag veröffentlichen.

PGP und S/MIME: So funktioniert Efail (Heise, screenshot)

2018/5/14 extended article published in Heise Security that explains how EFAIL works. (Full PDF)

Efail: Welche E-Mail-Clients sind wie sicher? (Heise, screenshot)

2018/5/23 an article published in Heise some days after EFAIL public disclosure. It discusses the status of some fixes in email clients. (Full PDF)

Efail ist ein EFFail (Heise, screenshot)

2018/5/16 - two days after the public disclosure, Heise published a commentary about the disclosure process. (Full PDF)

PGP ist nicht kaputt. Wenn man allerdings große Teile der Berichterstattung über die Efail-Lücken verfolgt hat, könnte man zu diesem Schluss gelangen. Das liegt vor allem daran, dass Aufmerksamkeit nicht nur das wichtigste Kapital für Medien geworden ist, sondern auch für Forscher. Die Offenlegung der Efail-Schwachstellen ist ein Lehrstück dafür, wie so etwas maximal schief gehen kann.

People Are Freaking Out That PGP Is ‘Broken’—But You Shouldn’t Be Using It Anyway (Motherboard, screenshot)

2018/5/14 - screenshot of a Motherboard article about EFAIL. The title as well as the incipit of the article reveal the skepticism of the author about the crypto protocol (Full PDF):

On Monday, the world was reminded once again that the almost 30-year-old encryption protocol PGP does still exist, and, yes, it still kinda sucks.

Another quote:

"Sadly I think what it tells everyone is that as standards age, legacy systems will almost inevitably be exploited," Alan Woodward, a professor at the University of Surrey, told me, "and email does not make for a good platform for secure messaging in the first place."

S/MIME artists: EFAIL email app flaws menace PGP-encrypted chats (The Register, screenshot)

2018/5/14 screenshot of the article of The Register about EFAIL (Full PDF)

So, how bad is it? Hacker House cofounder and Brit infosec pro Matthew Hickey told The Register while we're unlikely to see widespread abuse of EFAIL, the potential for targeted attacks against journalists, corporations, activists, and academics makes it worth taking seriously.

Email Is Dangerous (The Atlantic, screenshot)

2018/5/21 screenshot of an interesting, extended article published in The Atlantic. (Full PDF)

The lesson of Efail is that you can build everything well, but if you’ve built on a bad foundation, there’s no structure strong enough to stand. No one is responsible for email itself, and in the days since the Efail disclosure people have been pointing fingers at each other—email clients, vendors, OpenPGP standards, and S/MIME software vendors. It’s no one’s fault and it’s everyone’s fault. These kinds of disclosures, and the hacks built on the flaws of email, will keep coming for the foreseeable future.

What "Efail" Tells Us About Email Vulnerabilities and Disclosure (Schneir on Security, screenshot)

2018/5/24 - 10 days after the public disclosure of EFAIL, Bruce Schneir commented the disclsosure process. This is a long, in-depth and worthwhile article about the general process of vulnerability disclosure and email security in general. Link to the full version.

Expect more of these kinds of problems in the future. The internet is shifting from a set of systems we deliberately use—our phones and computers—to a fully immersive internet-of-things world that we live in 24/7. And like this email vulnerability, vulnerabilities will emerge through the interactions of different systems. Sometimes it will be obvious who should fix the problem. Sometimes it won't be. Sometimes it'll be two secure systems that, when they interact in a particular way, cause an insecurity.

Die wichtigsten Fakten zu Efail (GOLEM, screenshot)

2018/5/22 - a long, in-depth article about EFAIL published in Golem (Full PDF)

Ein Problem bei Efail war, dass zum Zeitpunkt der Veröffentlichung für viele der betroffenen Mailclients keine Updates bereitstanden. Dabei waren sie bereits Monate vorher informiert worden.

PGP: Encryption Program Used by Edward Snowden 'Can Leak Secret Messages' (Newsweek article)

2018/5/14: screenshot of a Newsweek article about EFAIL (Full PDF)

This article is interesting as it makes the link between the EFAIL disclosure and the emblematic figure of digital rights activist Edward Snowden:

PGP, which is used to scramble the content of sensitive messages and believed to be one of the most secure methods of protecting private email communications, was once used by National Security Agency (NSA) whistleblower Edward Snowden to contact journalists.

It is interesting to note that during his talk at the CCC [], Sebastian Schinzel explicitly states that the only way to use PGP is to follow Snowden's tutorial published in this video for Laura Poitras. This method was never compromised by EFAIL.

Different dimensions to the comments

The rough reaction to the public announcement of EFAIL unfolded several dimensions.

  • Some people claimed that this series of vulnerabilities was nothing new because email encryption was
  • ...Read more

2. The IETF working group mailing list

The Internet Engineering Task Force (IETF) is the organization responsible for the standardization of many internet protocols including OpenPGP and S/MIME . A working group composed of volunteers is dedicated to defining and maintaining the standard during the trimestral 5-day IETF meetings or on the mailing list which is freely available online to anyone . There was no immediate reaction after the public disclosure but on June 30, 2018, an email called «AEAD mode chunk size» was sent to the mailing list  and provided some technical thoughts about how to mitigate one specific issue of EFAIL. An asynchronous conversation started – mostly on a highly technical level – which happened only through emails involving many actors worldwide. This process lasted till May 2019 and resulted in the release of a new version of a part of the protocol which was later implemented in a lot of software and many digital libraries.

During that time, many other topics were discussed on this mailing list but interestingly, there were only very few explicit references to EFAIL. Instead, the vulnerabilities were scraped into a series of technical issues to be remediated separately, sometimes by different people. Interestingly, the tempo of what was done and exchanged through the IETF mailing list was not impacted by other manifestations of the vulnerability in the infosec community, like the Usenix presentation that took place in August 2018. The discussion happened predominantly amongst engineers and developers committed to finding a consensual solution to be implemented in various compatible yet competing products.

3. The academic presentation at Usenix conference

On August 16, 2018, in the Grand Ballroom VII–X of the Marriott Waterfront hotel in Baltimore, USA, Damian Poddebniak, on behalf of the EFAIL team, presented the EFAIL attack in front of an academic audience at the Usenix Security Symposium.

For the first time in public, the team deciphered the technicalities of the flaws they uncovered on the encryption protocols. According to the researchers, the paper was really well received by the academic community which was concerned by the technicality of the attack. In this plane, the EFAIL vulnerabilities can be seen as a formal object of study in computer science: this instance of EFAIL was assembled for an academic audience and the paper was a formal «proof of concept» of a new technique that the researchers called «malleability gadgets» (Poddebniak et al. 2018). As Schinzel himself told us, the Usenix paper, had to be «translated» to a more digestible format for developers and users (personal interview in Leipzig, 27.12.2018).

4. The presentation at the Chaos Communication Congress

On December 28, 2018, at 8.50 pm, Professor Sebastian Schinzel got on the stage at the 35c3 wearing a tee-shirt with the logo of EFAIL.

The Chaos Communication Congress (CCC) takes place every year since 1984, a major event for all geeks and technology enthusiasts in Europe. Very different from the Usenix paper, this presentation was neither very formal nor too specialized and, in addition to the technical details, it also gave room to broader considerations such as the pervasive lack of privacy that affects emails and the misadventures of the disclosure process. Although Schinzel did not reveal any new issues concerning EFAIL, he took the opportunity to make some statements about the public disclosure process. He declared that whatever happens, he would henceforth stick to the rule of the 90-days delay because it was not helpful to give the developers more than 200 days to find a solution. The 90-days rule he referred to is an embargo that implies that a researcher who found a vulnerability would give 90 days to the developers to ship a patch before disclosing the research publicly. Even though 90 days are somehow arbitrary, it is a usual standard in practice in infosec that is supposed to give enough time for developers while at the same time putting them under pressure. During his talk, Schinzel also added that he would probably no longer release a warning statement prior to the publication of the vulnerability itself because it did not work and people did not understand his intentions well. Hence, among other things, this talk was intended to close the disclosure controversy that erupted after his initial tweet.

Spatiality, temporality and the obscure backstage of vulnerabilities

This essay shows that the EFAIL disclosure took many forms at different times: Like a proton in a high energy physics experiment, the impact of disclosure created different simultaneous strains...Read more