It is turning out to be a pretty bad day for Pretty Good Privacy (PGP), one of the most widely used encryption standards, which rolled out nearly 30 years ago. Researchers have disclosed a proof-of-concept that reveals how an attacker might exfiltrate the decrypted contents of a PGP message from a target's computer, provided they can intercept the message in transit, or infiltrate their computer first.
PGP has always been a bit messy and not very easy for non-technical users to understand, and today there are other, much simpler ways to communicate securely online, such as Signal. But for those curious about the attack surface, the flaws appear to impact users of several email clients that rely on plugins to decrypt PGP emails, including Thunderbird, Outlook, and Apple Mail.
The attack itself requires a malicious party to intercept or steal your emails, either in transit or where they are stored (locally or on a remote mail server). The likelihood of this is pretty low, provided you're not already being individually targeted by a sophisticated threat, such as a state intelligence agency. But if your email is intercepted, the attack allows for the ciphertext - the "gobblydy gook" that makes up an encrypted message — to be altered in a way that once decrypted, the plaintext version of the message may be automatically transmitted back to the attacker, if you are using one of the affected email clients.
The researchers behind the proof-of-concept have released a paper online, which you can peruse at your own leisure for a better technical understanding.
Encrypted emails are not, of course, the only way people share sensitive information using the PGP protocol. One of the most important for sources who leak sensitive information to news organisations is SecureDrop. Fortunately, the PGP attack has no hope of decrypting intercepted messages using this system.
First, the crypo employed by PGP is not broken. And second, the SecureDrop system, which uses PGP, relies on a variety of other protocols that render the EFAIL attack completely ineffective. Most importantly, SecureDrop messages and files are only ever opened on a computer that lacks the ability to connect to the internet, precluding the possibility of a plaintext message being transmitted anywhere.
It is not correct to call Efail a new vulnerability in PGP and S/MIME. The root issue has been known since 2001. The real issue is that some clients that support PGP were not aware for 17 years and did not perform the appropriate mitigation.
— ProtonMail (@ProtonMail) May 14, 2018
SecureDrop is an open source whistleblower system, originally coded by the late Aaron Swartz, which allows media organisations to receive sensitive documents and messages from sources whose leaking may carry serious repercussions, such as government employees.
"SecureDrop is architected in a way that splits off and airgaps the news outlet's PGP private key from the Tor-accessible server containing the public key," explains Bill Budington, the Electronic Frontier Foundation's senior staff technologist. "A journalist must decrypt messages on a machine that lacks internet connectivity, thus rendering any exfiltration channel useless."
There's a chorus of security professionals, including those at the secure email service ProtonMail, who say the PGP vulnerability is being wildly over-hyped by the press. (Most news reports have encouraged readers to discontinue use of PGP altogether, advising it is no longer safe, which some experts believe is overkill.)
"Security is a cost/benefit game — eventually a sufficiently motivated attacker will get you — and to exploit this bug, the attacker must be very motivated," security evangelist Alec Muffett told Gizmodo. "The necessary combination of effort, background knowledge, and malicious intent, is pretty hard to scale up to more than a few (dozen?) people; and by the time one achieves that, the bug fixes will likely be 'out' anyway, neutering the attack."
"If people en-masse delete PGP in the belief that it puts them at risk, it's like a population stopping using car safety-belts because they heard that a person got trapped by theirs in a car crash, and died," Muffett added.