Anonymous
2018-07-27 16:13:07 UTC
The EFail vulnerability threatened to punch a hole in PGP's security. Ditch encrypted email and use Signal for your messaging instead
When Edward Snowden wanted to contact filmmaker Laura Poitras to blow the whistle on activities at the NSA, his first step was to find out her public PGP key.
PGP stands for ‘Pretty Good Privacy,’ and it has been one of the dominant forms of end-to-end encryption for email communications since the 1990s. Users have a public key and a private key – senders use the former to encrypt messages, which can only be decoded by someone who has access to the latter.
Since Snowden, PGP and open-source equivalent GPG (GNU Privacy Guard) have become increasingly popular forms of encryption for whistleblowers, dissidents, and human rights activists. Journalists place links to their public keys on their Twitter profiles to give would-be sources a safe means of contacting them.
But, on May 14, researchers from Munster University of Applied Sciences released details of what’s been reported as a "serious flaw" in PGP. The exploit, dubbed 'EFail',’ uses a piece of HTML code to trick certain email clients, including Apple Mail, Outlook 2007 and Thunderbird, into revealing encrypted messages.
Some argue that the vulnerability has been blown out of proportion. “I’m not sure how widely it’s going to be exploited,” says Ross Brewer, of cybersecurity firm LogRhythm. “It’s interesting in theory.” Brewer points out that to use the exploit, hackers would already need to have access to some of your encrypted emails so that they can inject the relevant code. It also only afflicts certain email clients, and turning off HTML rendering for all emails offers an easy fix while they are patched.
Scrutiny of the vulnerability after it was published also says it was overhyped. Encrypted email provider ProtonMail published a blogpost stating there were "pretty strong caveats" to the research. Nonetheless, the Electronic Frontier Foundation, a non-profit that promotes free and fair access to technology, has recommended that users stop using PGP for encryption for the time being.
But even before this week’s news, questions have been raised about the usability of PGP. Matthew Green, a cryptographer and professor at John Hopkins University has argued that “it’s time for PGP to die”. It turns out that for the majority of people, Pretty Good Privacy may not be good enough.
‘It’s time for PGP to die’
One of the many problems with PGP is its age, says Green. It was first developed in 1991 (“when we didn’t really know anything about crypto”) and then standardised into OpenPGP from 1997.
The science of cryptography has advanced dramatically since then, but PGP hasn’t, and any new implementations have to remain compatible with the features of previous tools, which can leave them vulnerable to similar exploits.
There are other faults, including the difficulty of accessing encrypted emails across multiple devices, and the issue of forward secrecy, which means that a breach potentially opens up all your past communication (unless you change your keys regularly). It’s rumoured that the NSA stockpiles encrypted messages in the hope of gaining access to the keys at a later date.
But the biggest problem with PGP is how difficult it is for people to use simply. "It’s a real pain," says Green. "There’s key management – you have to use it in your existing email client, and then you have to download keys, and then there’s this whole third issue of making sure they’re the right keys."
This criticism has plagued PGP for most of its existence. A technical research paper by Alma Whitten and JD Tygar called Why Johnny Can’t Encrypt: a Usability Evaluation of PGP 5.0 drew attention to the problem as early as 1999.
To encrypt an email manually using PGP requires a decent level of technical knowledge, and adds several steps to the process of sending each message, to the extent that even Phil Zimmerman, the creator of PGP, no longer uses it.
“All of these things have been really hard for non-experts, and even for experts,” says Green. Even Edward Snowden has screwed it up. When he first reached out anonymously to a friend of Poitras, Micah Lee, to ask him for her public PGP key, he forgot to attach his own public key, meaning that Hill had no secure way to respond to him.
Many of the issues around PGP are aligned with email being a dated form of communication. To make PGP easier to use, end users can install plug-ins for their email clients, or use browser-based solutions to encrypt and decode their messages, but this is where vulnerabilities can creep in.
In the case of EFail, the issue is not with the PGP protocol itself, but with the way it has been implemented, says Josh Boehm, founder and CEO of encrypted communications service cyph.com, which offers private voice and video chat in a web browser.
“There’s no standard way of implementing it, so a number of people have just done it wrong,” he says. “That then becomes the weakest link in the chain. It doesn’t matter how strong the chain of PGP is, if they can get you to unlock it and send that information to them it’s essentially worthless.”
The rise of encrypted messengers
We could all benefit from end-to-end encryption of our emails, but because it’s so difficult to use, PGP has largely remained the reserve of tech-savvy whistle-blowers and cryptography experts. Green says a recent search puts the number of non-expired public PGP keys at around 50,000. “That’s the total usage of PGP,” he says. “The vast majority of people don’t use it.”
By contrast, in 2016, there were almost 50 million global downloads of the encrypted messaging app Telegram. On Twitter, links to PGP keys in the bios of journalists are being replaced by the phone numbers they use for Signal, the encrypted messaging service endorsed by leading security experts around the world. Then there’s Apple’s iMessage, and of course WhatsApp - which, in turning on end-to-end encryption for more than a billion by default has arguably done the most to take encryption to the masses.
“Not only are there improvements to the encryption itself, you don’t have to do anything technical to get set-up, and you don’t really have to be worried in most cases about your data being exfiltrated,” says Boehm.
Green says these apps, with their modern cryptography techniques and seamless user experience, are “the solution” to problems of PGP. “You have all the key management problems hidden from you. They’re managed by the system.”
Of course, there are potential problems with allowing private companies to hold the keys to all of your sensitive conversations. But, these projects are generally less vulnerable than PGP because they are independent, says Green.
“When something goes wrong with WhatsApp, WhatsApp fixes it,” he says. “When something goes wrong in the amorphous PGP community, no one puts their hand up to fix it. Individually people think about the security of their own tool. They don’t think about the whole system.”
Green would like to see a world where we encrypt all of our communications, including email. In 2014, Google launched a project with Yahoo to bring end-to-end encryption to their email services. The two companies account for a significant proportion of the world’s email traffic, and it would have been a big step towards Green’s vision, if Google hadn’t cancelled the project.
This week’s news has demonstrated why PGP is not the answer, but encrypted messengers show the way forward. “It’s not going to get better tomorrow, but you can make encryption the default if you make the services good enough,” says Green. Until then, better head to the App Store.
<https://www.wired.co.uk/article/efail-pgp-vulnerability-outlook-thunderbird-smime>
When Edward Snowden wanted to contact filmmaker Laura Poitras to blow the whistle on activities at the NSA, his first step was to find out her public PGP key.
PGP stands for ‘Pretty Good Privacy,’ and it has been one of the dominant forms of end-to-end encryption for email communications since the 1990s. Users have a public key and a private key – senders use the former to encrypt messages, which can only be decoded by someone who has access to the latter.
Since Snowden, PGP and open-source equivalent GPG (GNU Privacy Guard) have become increasingly popular forms of encryption for whistleblowers, dissidents, and human rights activists. Journalists place links to their public keys on their Twitter profiles to give would-be sources a safe means of contacting them.
But, on May 14, researchers from Munster University of Applied Sciences released details of what’s been reported as a "serious flaw" in PGP. The exploit, dubbed 'EFail',’ uses a piece of HTML code to trick certain email clients, including Apple Mail, Outlook 2007 and Thunderbird, into revealing encrypted messages.
Some argue that the vulnerability has been blown out of proportion. “I’m not sure how widely it’s going to be exploited,” says Ross Brewer, of cybersecurity firm LogRhythm. “It’s interesting in theory.” Brewer points out that to use the exploit, hackers would already need to have access to some of your encrypted emails so that they can inject the relevant code. It also only afflicts certain email clients, and turning off HTML rendering for all emails offers an easy fix while they are patched.
Scrutiny of the vulnerability after it was published also says it was overhyped. Encrypted email provider ProtonMail published a blogpost stating there were "pretty strong caveats" to the research. Nonetheless, the Electronic Frontier Foundation, a non-profit that promotes free and fair access to technology, has recommended that users stop using PGP for encryption for the time being.
But even before this week’s news, questions have been raised about the usability of PGP. Matthew Green, a cryptographer and professor at John Hopkins University has argued that “it’s time for PGP to die”. It turns out that for the majority of people, Pretty Good Privacy may not be good enough.
‘It’s time for PGP to die’
One of the many problems with PGP is its age, says Green. It was first developed in 1991 (“when we didn’t really know anything about crypto”) and then standardised into OpenPGP from 1997.
The science of cryptography has advanced dramatically since then, but PGP hasn’t, and any new implementations have to remain compatible with the features of previous tools, which can leave them vulnerable to similar exploits.
There are other faults, including the difficulty of accessing encrypted emails across multiple devices, and the issue of forward secrecy, which means that a breach potentially opens up all your past communication (unless you change your keys regularly). It’s rumoured that the NSA stockpiles encrypted messages in the hope of gaining access to the keys at a later date.
But the biggest problem with PGP is how difficult it is for people to use simply. "It’s a real pain," says Green. "There’s key management – you have to use it in your existing email client, and then you have to download keys, and then there’s this whole third issue of making sure they’re the right keys."
This criticism has plagued PGP for most of its existence. A technical research paper by Alma Whitten and JD Tygar called Why Johnny Can’t Encrypt: a Usability Evaluation of PGP 5.0 drew attention to the problem as early as 1999.
To encrypt an email manually using PGP requires a decent level of technical knowledge, and adds several steps to the process of sending each message, to the extent that even Phil Zimmerman, the creator of PGP, no longer uses it.
“All of these things have been really hard for non-experts, and even for experts,” says Green. Even Edward Snowden has screwed it up. When he first reached out anonymously to a friend of Poitras, Micah Lee, to ask him for her public PGP key, he forgot to attach his own public key, meaning that Hill had no secure way to respond to him.
Many of the issues around PGP are aligned with email being a dated form of communication. To make PGP easier to use, end users can install plug-ins for their email clients, or use browser-based solutions to encrypt and decode their messages, but this is where vulnerabilities can creep in.
In the case of EFail, the issue is not with the PGP protocol itself, but with the way it has been implemented, says Josh Boehm, founder and CEO of encrypted communications service cyph.com, which offers private voice and video chat in a web browser.
“There’s no standard way of implementing it, so a number of people have just done it wrong,” he says. “That then becomes the weakest link in the chain. It doesn’t matter how strong the chain of PGP is, if they can get you to unlock it and send that information to them it’s essentially worthless.”
The rise of encrypted messengers
We could all benefit from end-to-end encryption of our emails, but because it’s so difficult to use, PGP has largely remained the reserve of tech-savvy whistle-blowers and cryptography experts. Green says a recent search puts the number of non-expired public PGP keys at around 50,000. “That’s the total usage of PGP,” he says. “The vast majority of people don’t use it.”
By contrast, in 2016, there were almost 50 million global downloads of the encrypted messaging app Telegram. On Twitter, links to PGP keys in the bios of journalists are being replaced by the phone numbers they use for Signal, the encrypted messaging service endorsed by leading security experts around the world. Then there’s Apple’s iMessage, and of course WhatsApp - which, in turning on end-to-end encryption for more than a billion by default has arguably done the most to take encryption to the masses.
“Not only are there improvements to the encryption itself, you don’t have to do anything technical to get set-up, and you don’t really have to be worried in most cases about your data being exfiltrated,” says Boehm.
Green says these apps, with their modern cryptography techniques and seamless user experience, are “the solution” to problems of PGP. “You have all the key management problems hidden from you. They’re managed by the system.”
Of course, there are potential problems with allowing private companies to hold the keys to all of your sensitive conversations. But, these projects are generally less vulnerable than PGP because they are independent, says Green.
“When something goes wrong with WhatsApp, WhatsApp fixes it,” he says. “When something goes wrong in the amorphous PGP community, no one puts their hand up to fix it. Individually people think about the security of their own tool. They don’t think about the whole system.”
Green would like to see a world where we encrypt all of our communications, including email. In 2014, Google launched a project with Yahoo to bring end-to-end encryption to their email services. The two companies account for a significant proportion of the world’s email traffic, and it would have been a big step towards Green’s vision, if Google hadn’t cancelled the project.
This week’s news has demonstrated why PGP is not the answer, but encrypted messengers show the way forward. “It’s not going to get better tomorrow, but you can make encryption the default if you make the services good enough,” says Green. Until then, better head to the App Store.
<https://www.wired.co.uk/article/efail-pgp-vulnerability-outlook-thunderbird-smime>