Coordinated disclosures can be difficult beasts to corral. So, after the Efail disclosure leaked prematurely, experts debated whether it's too much to
Coordinated disclosures can be difficult beasts to corral. So, after the Efail disclosure leaked prematurely, experts debated whether it’s too much to ask that these issues stay secret.
The research teams behind the Efail disclosure process aimed to release details of the Pretty Good Privacy (PGP) and Secure Multipurpose Internet Mail Extensions (S/MIME) flaws on May 15, 2018. However, a teaser post by the Electronic Frontier Foundation (EFF) and a tweet by one researcher early in the morning on May 14 led to the discovery of the link for the research paper describing the flaws within hours.
Steve Malone, director of security product management at Mimecast, headquartered in London, said the attempt at generating hype was to blame for the situation getting out of control.
“The problem with releasing a tease to the media and security community about a potential vulnerability is that it causes speculation to run wild. Fake news, FUD [fear, uncertainty, doubt] and misinformation often lead to worse consequences,” Malone said via email. “It’s often easier to draw attention to vulnerabilities in this way, but a more controlled disclosure is often the right way to go.”
Beyond the timing of the Efail disclosure being thrown off, the messaging was also confusing. The research paper noted that S/MIME in all clients was vulnerable to Efail, while the risk in PGP clients was dependent on the implementation of the protocol. But the EFF’s blog post focused the vast majority of attention on the PGP side of the Efail flaws and only mentioned S/MIME once, compared to 51 mentions of PGP in the post.
Matthew Green, cryptography expert and professor at Johns Hopkins University’s Information Security Institute, wrote in an analysis of the Efail disclosure that “the real story here is the insecurity of S/MIME.”
“That protocol is used by a huge number of firms handling confidential and classified email. The fact that this protocol — and Microsoft Outlook — are broken is a really big deal. It’s a very big problem that our ‘main’ corporate encrypted email protocol is this weak,” Green wrote. “The fact of the matter is that Efail is a very serious bug that occurs across a large number of different email clients. It enables total decryption of email messages, something that absolutely should not be possible in 2018. Even worse, the flaws that cause Efail have been well known since at least 2000-2001. The fact that this is occurring in so many different email clients indicates, to me, that the PGP tool development community is not pursuing cryptographic security to the extent required of a serious encryption tool.”
The response from the PGP community has been mixed in the Efail disclosure process. NeoPG — a smaller fork of GnuPG — said it was notified by researchers in January 2018 and reported having an outstanding experience.
On the other hand, Werner Koch, principal author of GnuPG, initially claimed he had never been contacted by the researchers during the disclosure process. Koch eventually checked his old emails and admitted he was notified of the planned paper in November 2017. He relayed his conversation with the Efail researchers and said he was not very worried about the issues being raised over how the Modification Detection Code (MDC) authentication could be bypassed in GnuPG.
“Your attack should not work if the MDC is in use. And it is always in use for [Advanced Encryption Standard],” Koch wrote on the GnuPG mailing list. “They said that they did a simple rollback to the non-MDC encryption. This is a pretty old thing which we are aware of and the reasons why a warning has always been printed in that case.”
Koch went on to say any errors arising from clients ignoring the warning message were issues for the email clients to resolve, not GnuPG.
Moving beyond blame in the Efail disclosure mess
Green wrote that this type of blame-shifting belied the real problem with PGP, which he said was a lack of leadership.
“The answer, it seems to me, is that nobody is really leading the PGP community in any way. Leadership in this sense means somebody who is in a position of influence, who works on various projects, and who uses and communicates with other developers in the space. This person would be aware when clients are doing things improperly, and would say something about it,” Green wrote. “If possible they would modify their own tools to ensure that third party clients can’t misuse them. Other open source encryption projects like TLS [Transport Layer Security] have the IETF [Internet Engineering Task Force] and a handful of strong experts in corporate positions. PGP doesn’t really have anything comparable.”
Jesse Victors, security expert at Synopsys, based in Mountain View, Calif., said misrepresenting the risks of a flaw could be a more general issue with branded vulnerabilities.
“Efail is a serious issue for older or misconfigured clients and it should be fixed, but the website and shorter name make it very easy to vastly overstate the potential impact. I would have preferred if the authors kept to normal and quieter channels, such as those used for responsible disclosure. This way, the researchers can discuss the issue with the relevant parties, which will lead to a better agreement on the likelihood, impact, and severity of the finding,” Victors said via email. “The logo/website/name pattern is very search friendly, but this does not necessarily mean that the issue is of a catastrophic nature. We have seen some recent examples where the website may have been a market manipulation trick. I would have liked the Efail authors to have held to the normal responsible disclosure patterns.”