Jump to content

New PGP Encryption Exploits Are Being Discovered Almost Every Other Day


Recommended Posts

For more than a week, PGP developers have been rapidly working to patch critical flaws in the legacy encryption protocol used for sending and receiving secure emails that’s widely relied upon by lawyers, journalists, dissidents, and human rights advocates, many of whom operate at the highest levels of risk while in shadows of oppressive, unforgiving regimes.





Progress is slow. And as Gizmodo has learned, a number of exploits remain active, impacting at least two of the most popular PGP programs.


While the flaws—known as eFAIL and initially disclosed by researchers Sebastian Schinzel, Jens Müller and six others—have been repaired, new exploits stemming from their research continue to leave certain PGP clients vulnerable to attack, according to interviews with multiple experts involved in ongoing research, as well as video of an as-of-yet unpatched vulnerability seen by Gizmodo.


(Update: The Intercept’s Micah Lee published a GPGTool exploit, which he demonstrated for Gizmodo yesterday. The exploit is referenced in this article; however, Gizmodo agreed to withhold certain details until after Lee’s article was published.)


Last week, the Electronic Frontier Foundation (EFF) issued vague and, therefore, ultimately controversial advice instructing users to discontinue their use of PGP. The decision led to blowback from the infosec community and the publication of several misleading articles by reporters trying to cover the event before they understood it. As such, the EFF has spent the last week in a perpetual crisis mode, communicating with a network of cryptographers and other experts working on ways to to bypass the latest eFAIL patches.


It hasn’t been easy. On the phone Thursday, Danny O’Brien, EFF’s international director, joked that his desk was virtually covered in sympathy gifts dropped off by his colleagues. The tone of his occasional laughter seemed more medicinal than comically induced. The stress in his voice, however, was far more pronounced when discussing the problems facing the users in far off country who depend on PGP than at any point when discussing the hits to EFF’s reputation.


“We’ve been defending PGP for 27 years in court and elsewhere,” he said. “We have a lot of time to make it up to all these people. They’re mad at us. It’s fine.”


Earlier that day, top developers at Protonmail, Enigmail, and Mailvelope—all PGP services—published recommendations to counter those issued by EFF last week. EFF’s advice to discontinue use of PGP was, the devs said, “highly misleading and potentially dangerous.” The statement was also signed by Phil Zimmerman, PGP’s creator.


Among other advice, the developers urged users to download Engimail’s latest patch: version 2.0.5. For those using GPGTools, the add-on used to encrypt emails in Apple Mail, they suggested disabling the option to load remote content in messages.


Within hours, however, Gizmodo heard from multiple researchers who claim to have circumvented these measures. By 7pm Thursday, the EFF was politely, but frantically, emailing Enigmail’s founder, Patrick Brunschwig, but had yet to receive a response. Four hours earlier, Brunschwig told Gizmodo that he was unaware of any new issues with the latest version of his plugin, which enables PGP on Mozilla’s email client, Thunderbird.


A previous Enigmail patch addressing eFAIL, released on May 16, was quickly bypassed by infosec researcher Hanno Böck—two days after several leading PGP developers claimed that Enigmail had been patched and was totally safe to use.




“The researchers were describing an entire class of new attacks. There was this one thing that was super easy that they came up with, but they also paint in the paper a huge bunch of other attacks that would work,” O’Brien said by phone. “It wasn’t a case of having to write software to do this. You could literally just cut and paste what they said in the paper and use it. The video of how easy it was to use, that was the thing that clinched it for me—sitting and watching a video of someone just clicking a few buttons and being able to exfiltrate data.”


“We needed to chill things down,” he said. “Our thinking was, ‘Okay, everybody just chill for a week, and then patches will be out, and then we can all get back to normal.’”


But the 24-hour period the researchers had hoped for was interrupted. The pre-disclosure-disclosure had immediately turned into a massive clusterfuck, with angry accusations being flung from all corners of the web. Two hours after EFF’s warning was published, Werner Koch, the principal author of GNU Privacy Guard, the latest iteration of PGP, released details explaining how the eFAIL vulnerability worked. The embargo was blown.




Link to comment
Share on other sites

  • Replies 0
  • Created
  • Last Reply


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...