Back in May, 2018 a site called EFAIL posted their position that describes the vulnerabilities found in OpenPGP and S/MIME which leads to the leaking of plaintext and encrypted emails. This pretty much set the security community on fire, pitting one side against the other. In the end, many did eventually agree that the underlying PGP technology was, indeed, sound. Turns out, what’s broken is the implementation of that technology. In other words, all those user-level tools that make use of PGP aren’t nearly as well-built as we might think they are. Much of the problem lies in the development of email encryption tools that make use of PGP. And that, my friends, is where my take on this begins.
Email is one of the most important uses of encryption. Without encryption, sending sensitive information via email is a non-starter. And it’s not just that someone with the skills could intercept that email in transit and read the information contained within, it’s that those emails most often wind up sitting in an inbox or sub-folder of said inbox, ready for anyone to partake in the information contained within. That’s where encryption comes in handy. Should a client, colleague, friend, or family send you an encrypted missive containing sensitive data, only those with the encryption key might be able to crack open that email to view its contents. But with broken implementations, that’s not exactly the case. Granted the average user isn’t going to break that encryption or hack the poorly crafted user-level API bridging PGP to the email client. However, that it’s possible stands as a siren song declaring this a major issue.
I believe it goes much further than that.
I recently had a discussion on Twitter (as much as one can have a discussion on the service) about an article I wrote on how to add images to security keys. It was quickly pointed out that this could be considered bad advice because … can you guess? … the implementation of photos in keys is broken!
This issue has been around (and know about) for a long time. Yet it’s never been reported (at least not on a wide scale). So something as simple as adding a photo to a PGP key could be considered a security risk.
Remember, PGP is supposed to be all about security. And yet, everywhere you look the software that makes use of PGP renders the underlying layer vulnerable.
This needs to be fixed.
SEE: You’ve been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)
From my vantage point, the biggest problem with encryption (outside of these vulnerabilities) is the fact that few people actually use it. Sure those that are really, really concerned about privacy and security will make use of PGP in some form or function, but the average user (of which there are hundreds of millions) wouldn’t know PGP if it reached out from their monitor and slapped them across the face to say, “Pay attention to me!” There’s a reason for this. The average user doesn’t know where to begin working with encryption … on any level. Try talking your parents through the usage of encryption in email. Watch their faces go slack as every word you utter flies over their heads.
The thing is, if PGP (or OpenPG, or GPG, or GnuPG … you get the idea) is to succeed, it needs to be used (and not by the enlightened few). Encryption needs to become the standard. For that to happen, it needs to be built into email clients such that users require zero hand-holding to understand or use the technology. But before that can happen, the implementations of PGP need to be fixed.
I’ve reached the point where I cannot, with good conscience, write about using any incarnation of PGP, until it becomes clear the user-facing software has been patched and no longer renders the underlying technology vulnerable to attacks. What good does it do to cry to the heavens, “Use this software, so your emails are secure!” when we know that may not be 100% true? I’ve gone so far as to disable Enigmail in Thunderbird (a tool I’ve used for a very long time). Why? Well, first off … these vulnerabilities give my trust in the technology pause. Second, fewer and fewer email recipients are using encryption. So why bother going through the motion of typing my encryption password every time I send a signed email?
Where’s the fix?
I’m not a developer. I have the utmost respect for developers (especially open source developers, who often work for the love of a project). But because I stopped studying programming after a year of C++, I have no idea what the fix is; I only know said fix is needed. But the truth of the matter is this: It’s time to stop touting encryption as the way to go, until the software that bridges applications to GPG is fixed. And the fixes must be done on a developer level. If you read that EFAIL site, you will see they offer suggestions on mitigating these issues. Those suggestions would never be accepted by end users. Period. That’s too much work for an average user to undergo, in order to ensure a technology that is supposed to protect their data is actually doing the protecting.
I’ve talked to developers about this issue. They know there’s a problem and they want to fix it. But the issue is one that must be fixed on a larger scale. As much as we want to think it can be fixed by a small core of developers working on, say, Enigmail, this is a standards issue. Until the standards are fixed, encryption (on a user level) is broken. Until encryption is fixed it is not secure.