For more than a week, PGP developers have been rapidly working to patch critical flaws in the legacy encryption protocol used for sending and receiving secure emails; a tool that’s widely relied upon by lawyers, journalists, dissidents, and human rights advocates, many of whom operate at the highest levels of risk in shadows cast by repressive and unforgiving regimes.
Progress is slow and as Gizmodo has learned, a number of exploits remain active, impacting at least two of the most popular PGP programs.
The initial flaws, known as eFAIL, were disclosed by researchers Sebastian Schinzel, Jens Müller and six others. And while those have been addressed, new exploits stemming from their research continue to leave certain PGP clients vulnerable to attack, according to multiple experts involved in ongoing research, as well as video of an as-of-yet unpatched vulnerability review by Gizmodo.
(Update: The Intercept’s Micah Lee published a GPGTool exploit, which he demonstrated for Gizmodo yesterday. The exploit is referenced in this article; however, Gizmodo agreed to withhold certain details until after Lee’s article was published.)
Last week, the Electronic Frontier Foundation (EFF) issued vague and, therefore, ultimately controversial advice instructing users to discontinue their use of PGP. The decision led to blowback from the infosec community and the publication of several misleading articles by reporters trying to cover the event before they understood it. As such, the EFF has spent the last week in a perpetual crisis mode, communicating with a network of cryptographers and other experts working on ways to to bypass the latest eFAIL patches.
It hasn’t been easy. On the phone Thursday, Danny O’Brien, EFF’s international director, joked that his desk was virtually covered in sympathy gifts dropped off by his colleagues. The tone of his occasional laughter seemed more medicinal than comically induced. The stress in his voice, however, was far more pronounced when discussing the problems facing the users in far off country who depend on PGP than at any point when discussing the hits to EFF’s reputation.
“We’ve been defending PGP for 27 years in court and elsewhere,” he said. “We have a lot of time to make it up to all these people. They’re mad at us. It’s fine.”
Earlier that day, top developers at Protonmail, Enigmail, and Mailvelope—all PGP services—published recommendations to counter those issued by EFF last week. EFF’s advice to discontinue use of PGP was, the devs said, “highly misleading and potentially dangerous.” The statement was also signed by Phil Zimmerman, PGP’s creator.
Among other advice, the developers urged users to download Engimail’s latest patch: version 2.0.5. For those using GPGTools, the add-on used to encrypt emails in Apple Mail, they suggested disabling the option to load remote content in messages.
Within hours, however, Gizmodo heard from multiple researchers who claim to have circumvented these measures. By 7pm Thursday, the EFF was politely, but frantically, emailing Enigmail’s founder, Patrick Brunschwig, but had yet to receive a response. Four hours earlier, Brunschwig told Gizmodo that he was unaware of any new issues with the latest version of his plugin, which enables PGP on Mozilla’s email client, Thunderbird.
A previous Enigmail patch addressing eFAIL, released on May 16, was quickly bypassed by infosec researcher Hanno Böck—two days after several leading PGP developers claimed that Enigmail had been patched and was totally safe to use.
Gizmodo was alerted to flaws discovered as recently as Wednesday that currently impact multiple PGP implementations, including Enigmail (Thunderbird) and GPGTools (Apple Mail)—the technical details of which are withheld here while the appropriate developers are contacted and given time to address them.
Regardless, the advice offered by Protonmail, Enigmail, and others on Thursday appears no longer valid—cringeworthy, given one subtitle in the post that reads: “Why our recommendation is better than EFF’s recommendation.”
It’s true, O’Brien admits, the advice EFF first offered was cloudy. But at the time, the intention was not to offer technical details or support. The group simply wanted as many people as possible to stop using PGP, and they wanted it to happen fast.
The researchers behind eFAIL had decided upon a 24-notice, and though they too were met with criticism online, accused in some cases of stirring up “drama” for the sake of publicity, it was thought best to give users at least some time to disable the affected plugins before publishing their proof-of-concept. In particular, it was feared that with the knowledge contained in the researcher’s paper, malicious actors would adopt the techniques and begin to launch attacks within a few hours time.
“The researchers were describing an entire class of new attacks. There was this one thing that was super easy that they came up with, but they also paint in the paper a huge bunch of other attacks that would work,” O’Brien said by phone. “It wasn’t a case of having to write software to do this. You could literally just cut and paste what they said in the paper and use it. The video of how easy it was to use, that was the thing that clinched it for me—sitting and watching a video of someone just clicking a few buttons and being able to exfiltrate data.”
“We needed to chill things down,” he said. “Our thinking was, ‘Okay, everybody just chill for a week, and then patches will be out, and then we can all get back to normal.’”
But the 24-hour period the researchers had hoped for was interrupted. The pre-disclosure-disclosure had immediately turned into a massive clusterfuck, with angry accusations being flung from all corners of the web. Two hours after EFF’s warning was published, Werner Koch, the principal author of GNU Privacy Guard, the latest iteration of PGP, released details explaining how the eFAIL vulnerability worked. The embargo was blown.
Unsure of how to react, the EFF ultimately decided not to cite or share any specific details about the eFAIL flaws until the following morning, remaining fearful of propagating the easy-to-replicate exploits before its warning had been widely received.
For hours after the public learned that not every PGP app was affected, the EFF’s website continued to merely advise, “stop using PGP.”
On Twitter and in his message preemptively disclosing the eFAIL flaws, Koch claimed that GnuPG had not received any advanced warning from the researchers. But two hours later, the story changed. Koch later said he had found an email exchange between himself and the researchers from November 2017, describing flaws, he said, that did not appear critical.
In April, GnuPG apparently received a version of the eFAIL report that would be later published. It was ultimately dismissed.
Koch writes, in part:
The GnuPG team discussed this but did not see that any action was required. In particular because due to the redaction we were not able to contact and help the developers of other [mail user agents] which might be affected.
“Disclosure is always hard when dealing with problems that are still unpatched when the researchers publish, and they’ll always be things we could do better,” O’Brien said. “But in cases like this where changes are fast-moving—both when people are developing new exploits based on a paper, and developers are working hard to patch them, and the population is particularly vulnerable, we felt it better to be conservative.”
In an email Friday morning, Jens Müller, one of the original eFAIL researchers, said that he expects new exploits to pop up in the coming weeks. “Depending on your threat model, the EFF was right (and Protonmail is wrong),” he wrote in an email. “It’s sometimes better to [temporarily] disable encryption (or decrypt in the terminal) than to have your whole past communication at stake.”
Meanwhile, it remains unclear whether reverting to simple HTML, as recommended by Protonmail, will even mitigate future exploits developed from the eFAIL paper, researchers said. And notably, HTML cannot be disabled entirely in Apple Mail, potentially leaving the developers behind GPGTools in a tough spot. Currently, GPGTools recommends “as a workaround” disabling the option to “load remote content in messages.” But Gizmodo has since learned this is no longer entirely effective.
What’s more, the eFAIL team now says it’s testing two new exploits that may end up rendering one of the last-resort solutions—only ever using plaintext— inviable.
The cycle of developers introducing patches and having them bypassed within days could carry on for weeks, if not months. The advice to avoid Enigmail and PGPTools, therefore, remains sound, both the EFF and the eFAIL researcher agreed. But again, it really depends on the threat model of individual PGP users. For those facing few threats and simply using PGP to keep the messages private from unsophisticated prying eyes, like a boss, for example, there’s little reason to abandon PGP, even if it remains inherently flawed.
However, for those who have legitimate reasons to suspect they are being individually targeted by an advanced threat, like a nation state, the EFF’s warning should not be taken lightly or ignored simply because a handful of developers are arguing it’s overkill. If lives are truly on the line, why throw caution to the wind?
While the last batch of exploits isn’t “quite as impressive” as those in the original eFAIL paper, “it’s still pretty bad,” O’Brien said. “Bad enough that we’re going to hold off on changing our advice.”
“Once it’s out there,” he said, “it’s hard to walk it back.”
Update, 2pm: The PGP advice signed by Phil Zimmerman and developers for Protonmail, Mailvelope, and Enigmail, which criticizes the EFF’s recommendations, no longer mentions disabling remote loading in GPGTools. It now advises users instead to switch to Enigmail, which this article notes is still vulnerable. (Archived copy | Live version)