Unlikely Voter

Conservative views on polls, science, technology, and policy

Relax: Basic Cryptography Has Not Been Broken, contra EFAIL

Edward Snowden in 2014 (kikodoze/flickr)

For over 25 years, people have relied on cryptography to protect themselves from more powerful snoops, such as governments. Some panicked tweets have gone out, that have done more to mislead than aid people. Here are the facts.

According to Sebastian Schnitzel, every major means of encrypting email is broken. Pretty Good Privacy (PGP, a cryptography core), GNU Privacy Guard (GPG, an open source clone of PGP), and S/MIME (a protocol for encrypting email) are implicated. He recommends that people stop using encrypted emails.

But there’s more to it than that. The GNU Privacy Guard team was not even notified. That is a clear indicator that PGP and GPG have nothing to do with the security hole in question. So we’re left with S/MIME. And guess what: the real problem is that email clients are loading external websites linked in emails, such as images.

The key line, buried way down in “EFAIL” website:

The EFAIL attacks abuse active content, mostly in the form of HTML images, styles, etc.

So stop using HTML email, and you’re fine. Relax, folks. It’s just bad clients doing bad things. Cryptography is secure. Just stop loading HTML.

Comments

No Responses to “Relax: Basic Cryptography Has Not Been Broken, contra EFAIL”

Write a Comment