For more than a week, PGP developers have been rapidly working to patch critical flaws in the legacy encryption protocol used for sending and receiving secure emails that’s widely relied upon by lawyers, journalists, dissidents, and human rights advocates, many of whom operate at the highest levels of risk while in shadows of oppressive, unforgiving regimes.
Progress is slow. And as Gizmodo has learned, a number of exploits remain active, impacting at least two of the most popular PGP programs.
While the flaws — known as eFAIL and initially disclosed by researchers Sebastian Schinzel, Jens Müller and six others — have been repaired, new exploits stemming from their research continue to leave certain PGP clients vulnerable to attack, according to interviews with multiple experts involved in ongoing research, as well as video of an as-of-yet unpatched vulnerability seen by Gizmodo.
Last week, the Electronic Frontier Foundation (EFF) issued vague and, therefore, ultimately controversial advice instructing users to discontinue their use of PGP. The decision led to significant blowback from the infosec community and the publication of several misleading articles authored by reporters covering the event before being capable of understanding what was at stake. As such, the EFF has spent the last week in perpetual crisis mode, communicating with a network of cryptographers and other experts developing the latest ways to bypass the most recent eFAIL patches.
It hasn’t been easy. On the phone Thursday, Danny O’Brien, EFF’s international director, joked that his desk was virtually covered in sympathy gifts dropped off by his colleagues. The tone of his occasional laughter seemed more medicinal than comically induced. The stress in his voice, however, was far more pronounced when discussing the problems facing the users in far off country who depend on PGP than at any point when discussing the hits to EFF’s reputation.
“We’ve been defending PGP for 27 years in court and elsewhere,” he said. “We have a lot of time to make it up to all these people. They’re mad at us. It’s fine.”
Earlier that day, top developers at Protonmail, Enigmail, and Mailvelope — all PGP services — published recommendations to counter those issued by EFF last week. EFF’s advice to discontinue use of PGP was, the devs said, “highly misleading and potentially dangerous.” The statement was also signed by Phil Zimmerman, PGP’s creator.
Among other advice, the developers urged users to download Engimail’s latest patch: version 2.0.5. For those using GPGTools, the add-on used to encrypt emails in Apple Mail, they suggested disabling the option to load remote content in messages.
Within hours, however, Gizmodo heard from multiple researchers who claim to have circumvented these measures. By 7pm Thursday, the EFF was politely, but frantically, emailing Enigmail’s founder, Patrick Brunschwig, but had yet to receive a response. Four hours earlier, Brunschwig told Gizmodo that he was unaware of any new issues with the latest version of his plugin, which enables PGP on Mozilla’s email client, Thunderbird.
A previous Enigmail patch addressing eFAIL, released on May 16, was quickly bypassed by infosec researcher Hanno Böck — two days after several leading PGP developers claimed that Enigmail had been patched and was completely safe to use.
Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the story to @EFF and mainstream media and getting an irresponsible recommendation published (disable PGP), ignoring the fact that many (Enigmail, etc) are already patched.
— ProtonMail (@ProtonMail) 14 May 2018
Gizmodo was alerted to flaws discovered as recently as Wednesday that currently impact multiple PGP implementations, including Enigmail (Thunderbird) and GPGTools (Apple Mail) — the technical details of which are being withheld at present while the appropriate developers are contacted and given time to address it.
Regardless, the advice offered by Protonmail, Enigmail, and others on Thursday appears no longer valid — cringeworthy, given one subtitle in the post that reads: “Why our recommendation is better than EFF’s recommendation.”
It’s true, O’Brien admits, the advice EFF first offered was vague. But at the time, the intention was not to offer technical details or support. They simply wanted as many people as possible to stop using PGP, and they wanted it to happen fast.
The researchers behind eFAIL had decided upon a 24-hour notice, and though they too were met with criticism online, accused in some cases of stirring up “drama” for the sake of publicity, it was thought best to give users at least some time to disable the affected plugins before publishing a proof-of-concept paper. In particular, it was feared that with the knowledge contained in the researcher’s paper, malicious actors would adopt the techniques and begin to launch attacks within a few hours time.
“The researchers were describing an entire class of new attacks. There was this one thing that was super easy that they came up with, but they also paint in the paper a huge bunch of other attacks that would work,” O’Brien said by phone. “It wasn’t a case of having to write software to do this. You could literally just cut and paste what they said in the paper and use it. The video of how easy it was to use, that was the thing that clinched it for me — sitting and watching a video of someone just clicking a few buttons and being able to exfiltrate data.”
“We needed to chill things down,” he said. “Our thinking was, ‘Okay, everybody just chill for a week, and then patches will be out, and then we can all get back to normal.’”
But the 24-hour period the researchers had hoped for was interrupted. The pre-disclosure disclosure had immediately turned into a massive clusterfuck, with angry accusations being flung from all corners of the internet. And then, two hours after EFF’s warning was published, Werner Koch, the principal author of GNU Privacy Guard, the latest iteration of PGP, released details explaining how the eFAIL vulnerability worked. The embargo was blown.
Why on Earth is @EFF contributing to all the FUD about PGP in that paper? The current version of Enigmail isn't vulnerable and hasn't been for months. That's one of the most widely used PGP plugins. "Stop using PGP email?" I am disappointed, EFF. https://t.co/HvfkcnqnkY
— Hector Martin (@marcan42) 14 May 2018
Disappointing to see this from @EFF (whom I value greatly). Again, #efail - as outlined by those that disclosed it - does not refer to a vuln in PGP itself, but in the plugins of *some* email clients that use/wrap it. Tweets like this put ppl at risk https://t.co/dP1qVdBkVD
— Julian Oliver (@julian0liver) 15 May 2018
Unsure of how to react, the EFF ultimately decided not to cite or share any specific details about the eFAIL flaws until the following morning, remaining fearful of propagating the easy-to-replicate exploits before its warning had been widely received.
For hours after the public learned that not every PGP app was affected, the EFF’s website continued to merely advise, “stop using PGP.”
Because there much fuss about efail I posted a quick summary. Note that the GnuPG team was not contacted by them in advance; I got the info from a paper to the Kmail developers.https://t.co/CTXReMITkt
— GNU Privacy Guard (@gnupg) 14 May 2018
On Twitter and in his message preemptively disclosing the eFAIL flaws, Koch claimed that GnuPGP had not received any advanced warning from the researchers. But two hours later, the story changed. Koch later said he had found an email exchange between himself and the researchers from November 2017 describing flaws that he said did not appear critical at the time. In April, he received a version of the report, but it was dismissed.
He writes, in part:
The GnuPG team discussed this but did not see that any action was required. In particular because due to the redaction we were not able to contact and help the developers of other [mail user agents] which might be affected.
“Disclosure is always hard when dealing with problems that are still unpatched when the researchers publish, and they’ll always be things we could do better,” O’Brien said. “But in cases like this where changes are fast-moving — both when people are developing new exploits based on a paper, and developers are working hard to patch them, and the population is particularly vulnerable, we felt it better to be conservative.”
In an email Friday morning, Jens Müller, one of the original eFAIL researchers, said that he expects new exploits to pop up in the coming weeks. “Depending on your threat model, the EFF was right (and Protonmail is wrong),” he wrote in an email. “It’s sometimes better to [temporarily] disable encryption (or decrypt in the terminal) than to have your whole past communication at stake.”
Meanwhile, it remains unclear whether reverting to simple HTML, as recommended by Protonmail, will even mitigate future exploits developed from the eFAIL paper, researchers said. And notably, HTML cannot be disabled entirely in Apple Mail, potentially leaving the developers behind GPGTools in a tough spot. Currently, GPGTools recommends “as a workaround” disabling the option to “load remote content in messages.” But Gizmodo has since learned this is no longer entirely effective.
What’s more, the eFAIL team now says it’s testing two new exploits that may end up rendering one of the last-resort solutions — only ever using plaintext — inviable.
The cycle of developers introducing patches and having them bypassed within days could carry on for weeks, if not months. The advice to avoid Enigmail and PGPTools, therefore, remains sound, both the EFF and the eFAIL researcher agreed. But again, it really depends on the threat model of individual PGP users. For those facing few threats and simply using PGP to keep the messages private from unsophisticated prying eyes, like a boss, for example, there’s little reason to abandon PGP, even if it remains inherently flawed.
However, for those who have legitimate reasons to suspect they are being individually targeted by an advanced threat, like a nation state, the EFF’s warning should not be taken lightly or ignored simply because a handful of developers are arguing it’s overkill. If lives are truly on the line, why throw caution to the wind?
While the last batch of exploits isn’t “quite as impressive” as those in the original eFAIL paper, “it’s still pretty bad,” O’Brien said. “Bad enough that we’re going to hold off on changing our advice.”
“Once it’s out there,” he said, “it’s hard to walk it back.”