https://medium.com/@cipherpunk/efail-a-postmortem-4bef2cea4c08
https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/2018-May/004995.html
Writing just for himself -- not for GnuPG and not for Enigmail and definitely not for his employer -- Robert J Hansen, an Enigmail developer and GnuPG volunteer, put together a postmortem on Efail:
Less than a week ago, some researchers in Europe published a paper with the bombshell title "Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels." There were a lot of researchers on that team but in the hours after release Sebastian Schinzel took the point on Twitter for the group.
Oh, my, did the email crypto world blow up. The following are some thoughts that have benefited from a few days for things to settle.
They say that when there's a fire in a nightclub you're at more risk of dying from the stampede than the blaze. The panic kills both by crushing people underfoot, and by clogging the exits so that people have to stay in the club longer and breathe more hot smoke-filled air. The fire is a problem but the panic is worse. That's what we saw here, and frankly I place a lot of blame for that at the feet of the Electronic Frontier Foundation.
Previously: PGP and S/MIME Vulnerable, Take Action Now (Update: Embargo Broken)
Related Stories
Ars Technica is reporting that there are
critical PGP and S/MIME bugs which can reveal encrypted e-mails. Their advice is to uninstall the plugins, for the time being. More information will be released tomorrow (Tuesday at 07:00 UTC, 3:00 AM EDT, midnight PDT).
Little is publicly known about the flaws at the moment. Both Schinzel and the EFF blog post said they will be disclosed late Monday night California time in a paper written by a team of European security researchers. Schinzel's Twitter messages used the hashtag #efail, a possible indication of the name the researchers have given to their exploit.
The EFF also published a warning, Attention PGP Users: New Vulnerabilities Require You To Take Action Now:
A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.
The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.
The EFF also gives additional advice on disabling PGP in Thunderbird with Enigmail as well as other mail and mail-like clients.
takyon: The embargo is broken and the full details, including the paper (PDF), have been published.
(Score: 3, Insightful) by takyon on Friday May 25 2018, @09:29AM
I read Hansen's post when this was submitted. One of EFF's lamer moments due to the incredibly ambiguous statements they made in their alarmist blog post. I don't see any follow-up as Hansen seemed to believe was on the way. If you aren't going to donate to EFF because of it, pitch some money to the Internet Archive or something instead.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 4, Interesting) by choose another one on Friday May 25 2018, @01:13PM
Problem with post-mortems is that they necessarily involve hindsight, problem with planning to handle future events better is that you have to do it without hindsight.
This is _only_ because the stampede will kill you first, because people in the process of dying of smoke inhalation are not physically able to stampede. It is a fallacy to conclude from that risk statement that one should focus on preventing the stampede rather than preventing the blaze. There was no stampede in the ghost ship fire, no stampede in the Grenfell fire (where victims were in fact told by fire brigade to "stay put" and survivors are those who ignored the fire brigade), instead people (lots) died in the fire - should this be considered an improvement?
The decision to yell "fire" or not (or how loud to yell) is always going to be a tough one, for a good example look at aircraft evacs - even _test_ evacuations with fully briefed passengers who are not in panic mode cause injuries and definitely are a risk to life, hence in calling the evac on an actual aircraft you are almost certainly going to hurt someone, often badly and possibly fatally, but leave it too late and you've got Saudia 163 or Airtours at Manchester. What is the right decision? - we'll let you know afterwards, when we know if there was a fire or how bad it was and how many people got hurt. Brilliantly helpful that.
The one thing that is sure to help is properly trained, informed, and prepared passengers/users who comply with instructions in an orderly manner without panic. Unfortunately GnuPG doesn't have that, by a long way, to quote TFA:
See, whatever you do, even fixing the problem in the right way, people will die.
(Score: 0) by Anonymous Coward on Friday May 25 2018, @02:22PM (4 children)
I wish some people wouldn't use overly unusual words when a simple one will do.
(Score: 0) by Anonymous Coward on Friday May 25 2018, @02:57PM (2 children)
Afraid you might learn something?
(Score: 0) by Anonymous Coward on Friday May 25 2018, @05:53PM
Indubitably
(Score: 3, Funny) by MichaelDavidCrawford on Friday May 25 2018, @09:12PM
"... I forget how to drive."
-- Homer Simpson
Yes I Have No Bananas. [gofundme.com]
(Score: 1, Insightful) by Anonymous Coward on Friday May 25 2018, @06:44PM
Well, even though the sound of it is something quite atrocious, if you say it loud enough, you'll always sound precocious.