Disclosure sparks intense debate over PGP-encrypted email – but where does the flaw actually lie?

A vulnerability in some email clients divided the cybersecurity community this week, igniting an intense ‘blame game’ across social media over the way it was disclosed.

The findings of a report, released yesterday, stated that a critical flaw – dubbed Efail – can be exploited to steal encrypted data from emails and view the information in plaintext.

It concerned the way that PGP or S/MIME are integrated in email services including Microsoft Outlook, Mozilla Thunderbird, and Apple’s iOS mail.

The security researchers who uncovered the flaw called for people to stop using PGP as a means of defending against their encrypted emails from being exposed.

But all was not as it seemed as, on closer inspection, the flaw lies not within PGP or S/MIME but within the way certain email clients use them.

Researchers wrote: “In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.

“The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.”

The Efail authors were slammed online for what some dubbed was an “irresponsible” disclosure due to an over-hyped build up before its release.

The researchers – from Munster University, Ruhr University, and KU Leuven – posted ‘teaser’ press releases online and placed an embargo on the report, which was subsequently broken.

They were also accused of misleading readers by blaming PGP and S/MIME for the flaws, rather than the email clients.

There were also claims that GnuPG wasn't notified by the research team before the findings were posted online.

But what angered the Infosec community most was the researchers’ suggestion that users stop using PGP and S/MIME.


Professor Sebastian Schinzel, co-author of the paper, told his Twitter users to disable PGP and S/MIME to prevent against an attack, after claiming there are “no reliable fixes”.

The Electronic Freedom Foundation (EFF) echoed this sentiment in a blog post which read: “Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

“Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.”

These claims lead some cybersecurity professionals to blast both the EFF and the researchers.

Take for example Jake Williams, who wrote on Twitter: “The big problem with #efail is how it was disclosed. Nobody should be disabling PGP.

“You are far safer with it than without it, even if your email client is buggy. Also, patch your software. Really. It helps.”

TrustedSec founder Dave Kennedy added: “We have a responsibility in our positions where the world really listens to us as experts when we identify exposures that have impact on real world things.

“Creating alarm and hype for issues that aren’t extremely critical or impactful hurts that credibility.

“Issue doesn’t involve encryption though - there is zero issues with the encryption. It’s implementation of clients that allow ability to execute HTML as well as ability to arbitrarily add it to the message.

“Not saying there isn’t an issue but you literally have to compromise a data source with encrypted emails then spear phish a vuln (sic) client with keys in order to receive info.

“Difference in vulnerability vs. risk… this isn’t ‘stop using PGP now’ worthy.”

No winner?

Any disclosure of a vulnerability will be scrutinized, of course, whether it concerns the speed, accuracy, or whether it was indeed over-hyped – such as the AMD chip disclosure earlier this year.

Regardless of the furor surrounding the disclosure, the bug itself remains both a creative and serious attack.

It just seems the lengths the researchers went to – placing an embargo on the report to drum up media interest – overshadowed the importance of their findings.

But as the debate continues to rage online, developer Robert J Hansen noted: “Maybe it was a comedy of errors, maybe it was deliberate. I don't know. You probably don't, either. Let's not assume the worst.”