GnuPGP, email and eFail

Some of our clients use OpenPGP to communicate with us via mail. Now, after the last publications on eFail everybody gets nervous.

In general, some people out there – and hopefully not my clients – should indeed become nervous – if they use problematic email programs and/or handle them stupidly. In addition, there must be a chance of real and capable man-in-the-middle-attackers on the Internet – as e.g. secret or intelligence services – to perform and master the special attack vectors of eFail. (Actually, I do not care about the problems of bad guys out there misusing encryption for evil. I care about my business clients …).

But, my dear clients: It is not the encryption mechanism of PGP or OpenPGP in itself which fails! It is partially the stupid default settings in some email programs (regarding HTML/Javascript-execution). Such settings can and should be be changed. And partially there are flaws regarding the structuring of emails which can be used against encrypted PGP mails.

But all of this can be mitigated by short term measures – and, astonishingly for myself, some basic rules coincide with what I am not getting tired to say to my clients:

  • Forbid HTML/Rich text in your email client programs. It is a source of evil. Never ever open HTML-parts of a mail. Do not click on Links. Forbid automatic loading of remote pictures and alike.
  • Install OpenPGP in your desktop environment and decrypt your messages in a non HTML-capable environment outside your eMail clients.
  • Use Kmail or Evolution with PGP.
  • And of course: Use Linux – where GnuPGP/OpenPGP comes along as basic equipment of most user environments and does not require fiddling with external programs as on (some) Windows systems.

Properly used PGP in its Opensource variants still is a secure way of exchanging emails. And, please, remember:

If your whole desktop or PC/laptop/server-environment is under attack and hacked no encryption will help you when you decrypt/encrypt in such an environment.

So: Do not panic. Be clear about what the real threats are and where they potentially may come from! Follow some simple basic rules. PGP-based encryption is only one brick in a secure exchange of information. Other bricks may be much more and directly vulnerable from the beginning.

Get more information here:
Bruce Schneier on Details on a New PGP Vulnerability

And by the way: There are other aspects of PGP which deserve some interest with respect to intelligence services and/or economic espionage: