Press coverage of the EFAIL disclosure

Description

A non-exhaustive list of press article about the EFAIL vulnerability

View essay

Verschlüsselte E-Mails sind nicht sicher (Süddeutsche Zeitung, screenshot)

2018/5/14: screenshot of a Süddeutsche Zeitung article about EFAIL (Full PDF)

This article in German gives an overview of the EFAIL vulnerabilities for a non specialist public.

Es steht also fest: Was die Forscher herausgefunden haben, ist so verheerend, dass das Vertrauen in verschlüsselte Mails zumindest auf absehbare Zeit verloren sein dürfte.

The article also explains how public key cryptography works and why it could be important to encrypt emails:

Die NSA fing eine E-Mail ab, aber konnte die Verschlüsselung nicht brechen. Der wohl mächtigste Geheimdienst der Welt scheiterte jahrelang an PGP. Snowden war deshalb überzeugt: "Richtig eingestellte kryptografische Verfahren gehören zu den wenigen Dingen, auf die man sich verlassen kann." Wenn die Forscher ihre Ergebnisse an diesem Freitag auf einer Fachkonferenz in Bochum präsentieren werden, dann dürfte dieser Satz überholt sein.

Critical PGP and S/MIME bugs can reveal encrypted emails—uninstall now (ARS TECHNICA, screenshot)

2018/5/14: screenshot of ARS TECHNICA article about EFAIL (Full PDF)

Given the track record of the researchers and the confirmation from EFF, it's worth heeding the advice to disable PGP and S/MIME in email clients while waiting for more details to be released Monday night. Ars will publish many more details when they are publicly available.

Major #eFail Vulnerability Exposes PGP Encrypted Email (Forbes, screenshot)

2018/5/14: screenshot of Forbes article about EFAIL (Full PDF)

This article explains how the vulnerability was disclosed. Interestingly, it already discusses who should fixe the issue:

It appears the vulnerability (which some have dubbed eFail) resides in such email clients, rather than a fundamental problem with the PGP standard, according to Werner Koch, the man behind GNUPrivacyGuard (GnuPG), the free and open source PGP software suite. In a post, Koch said he believed the EFF's comments on the issue were "overblown" and that he hadn't been contacted about the vulnerability.

The author also quote spokesperson for ProtonMail:

A spokesperson for ProtonMail, a webmail service that uses PGP, confirmed its services were not affected. The spokesperson also eFail wasn't exactly new. "It has been known since 2001. The vulnerability exists in implementation errors in various PGP clients and not the protocol itself," the spokesperson added.
"What is newsworthy is that some clients that support PGP were not aware of this for 17 years and did not perform the appropriate mitigation."
"As the world's largest encrypted email service based on PGP, we are disappointed that some organizations and publications have contributed to a narrative that suggests PGP is broken or that people should stop using PGP. This is not a safe recommendation."

Encrypted Email Has a Major, Divisive Flaw (Wired, screenshot)

2018/5/14 - screenshot of the Wired article about EFAIL (Full PDF)

This article explains what the vulnerabilty is, how it works, and who disclosed it. It relayed the EFF's advice to stop sending and especially reading PGP-encrypted email and commented it:

This advice has seemed overly reactionary to some cryptographers, though, who argue that some people can't simply switch to other secure platforms and that encrypted email is still better than nothing. The bigger issue, they argue, is the lack of unity in securing email in the first place and dealing with problems as they arise.

The author also quoted Kenn White, from the Open Crypto Audit Project:

"The core architecture of PGP encryption is very dated, and in order to make current email apps able to still receive encrypted mail sent from older programs or read messages using older-style encryption, many software packages tolerate insecure settings," White says. "When a message is unable to be properly decrypted, instead of displaying a corruption error message—a 'hard fail' as it's known—the mail software will display the message anyway. Combined with other default conveniences like displaying images or loading links sent by the sender by default, the game is up."

OpenPGP und S/MIME: E-Mail-Verschlüsselung akut angreifbar (Heise Online, screenshot)

2018/5/14 screenshot of the Heise article about EFAIL (Full PDF)

This is a short article that announces the flaw and redirects interested readers to an up-coming article.

Die Probleme und Angriffe sind real; heise Security liegen detaillierte, technische Informationen zur Natur der Schwachstellen vor und konnte zumindest einen Angriff auf eine verschlüsselte PGP-Mail unter Laborbedingungen nachvollziehen. Mehr Informationen dazu wird heise Security spätestens zum Ablauf der Sperrfrist morgen Vormittag veröffentlichen.

PGP und S/MIME: So funktioniert Efail (Heise, screenshot)

2018/5/14 extended article published in Heise Security that explains how EFAIL works. (Full PDF)

Efail: Welche E-Mail-Clients sind wie sicher? (Heise, screenshot)

2018/5/23 an article published in Heise some days after EFAIL public disclosure. It discusses the status of some fixes in email clients. (Full PDF)

Efail ist ein EFFail (Heise, screenshot)

2018/5/16 - two days after the public disclosure, Heise published a commentary about the disclosure process. (Full PDF)

PGP ist nicht kaputt. Wenn man allerdings große Teile der Berichterstattung über die Efail-Lücken verfolgt hat, könnte man zu diesem Schluss gelangen. Das liegt vor allem daran, dass Aufmerksamkeit nicht nur das wichtigste Kapital für Medien geworden ist, sondern auch für Forscher. Die Offenlegung der Efail-Schwachstellen ist ein Lehrstück dafür, wie so etwas maximal schief gehen kann.

People Are Freaking Out That PGP Is ‘Broken’—But You Shouldn’t Be Using It Anyway (Motherboard, screenshot)

2018/5/14 - screenshot of a Motherboard article about EFAIL. The title as well as the incipit of the article reveal the skepticism of the author about the crypto protocol (Full PDF):

On Monday, the world was reminded once again that the almost 30-year-old encryption protocol PGP does still exist, and, yes, it still kinda sucks.

Another quote:

"Sadly I think what it tells everyone is that as standards age, legacy systems will almost inevitably be exploited," Alan Woodward, a professor at the University of Surrey, told me, "and email does not make for a good platform for secure messaging in the first place."

S/MIME artists: EFAIL email app flaws menace PGP-encrypted chats (The Register, screenshot)

2018/5/14 screenshot of the article of The Register about EFAIL (Full PDF)

So, how bad is it? Hacker House cofounder and Brit infosec pro Matthew Hickey told The Register while we're unlikely to see widespread abuse of EFAIL, the potential for targeted attacks against journalists, corporations, activists, and academics makes it worth taking seriously.

Email Is Dangerous (The Atlantic, screenshot)

2018/5/21 screenshot of an interesting, extended article published in The Atlantic. (Full PDF)

The lesson of Efail is that you can build everything well, but if you’ve built on a bad foundation, there’s no structure strong enough to stand. No one is responsible for email itself, and in the days since the Efail disclosure people have been pointing fingers at each other—email clients, vendors, OpenPGP standards, and S/MIME software vendors. It’s no one’s fault and it’s everyone’s fault. These kinds of disclosures, and the hacks built on the flaws of email, will keep coming for the foreseeable future.

What "Efail" Tells Us About Email Vulnerabilities and Disclosure (Schneir on Security, screenshot)

2018/5/24 - 10 days after the public disclosure of EFAIL, Bruce Schneir commented the disclsosure process. This is a long, in-depth and worthwhile article about the general process of vulnerability disclosure and email security in general. Link to the full version.

Expect more of these kinds of problems in the future. The internet is shifting from a set of systems we deliberately use—our phones and computers—to a fully immersive internet-of-things world that we live in 24/7. And like this email vulnerability, vulnerabilities will emerge through the interactions of different systems. Sometimes it will be obvious who should fix the problem. Sometimes it won't be. Sometimes it'll be two secure systems that, when they interact in a particular way, cause an insecurity.

Die wichtigsten Fakten zu Efail (GOLEM, screenshot)

2018/5/22 - a long, in-depth article about EFAIL published in Golem (Full PDF)

Ein Problem bei Efail war, dass zum Zeitpunkt der Veröffentlichung für viele der betroffenen Mailclients keine Updates bereitstanden. Dabei waren sie bereits Monate vorher informiert worden.

PGP: Encryption Program Used by Edward Snowden 'Can Leak Secret Messages' (Newsweek article)

2018/5/14: screenshot of a Newsweek article about EFAIL (Full PDF)

This article is interesting as it makes the link between the EFAIL disclosure and the emblematic figure of digital rights activist Edward Snowden:

PGP, which is used to scramble the content of sensitive messages and believed to be one of the most secure methods of protecting private email communications, was once used by National Security Agency (NSA) whistleblower Edward Snowden to contact journalists.

It is interesting to note that during his talk at the CCC [https://media.ccc.de/v/35c3-9463-attacking_end-to-end_email_encryption], Sebastian Schinzel explicitly states that the only way to use PGP is to follow Snowden's tutorial published in this video for Laura Poitras. This method was never compromised by EFAIL.

License

All rights reserved.

Annotations

Contributors

Created date

November 27, 2019

Group Audience