Market Overview

Misleading Advice Following the Efail PGP Vulnerability: Encryption is Better than no Encryption


Synack CTO and Co-Founder Mark Kuhr analyzes the reported PGP vulnerability "Efail" and the guidance given to consumers from the research group who discovered the vulnerability.

REDWOOD CITY, Calif. (PRWEB) May 14, 2018

Another security nightmare starts to unfold as a news article from Gizmodo on Monday suggested that "if you use PGP or S/MIME for email encryption you should immediately disable it in your email client." Why such a dire command? A vulnerability called "Efail", discovered Monday morning by a group of researchers in Europe, which exposes encrypted emails in plain text. Gizmodo's advice was basically just repeating the urging from the group of EFF researchers who originally found and disclosed the vulnerability: "Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email." This panic in the cyber security space is something we have now become all too used to.

Independent security researchers are advising people to stop using PGP, and the media is following suit. But this is a terrible idea. Even if a malicious actor could exploit this vulnerability (which would prove to be difficult), encryption is better than no encryption. This is like saying "your lock may not work, so leave your door wide open."

The researchers reported that this is a bug with PGP, but it's actually not a PGP issue. The vulnerability is actually an issue with the way clients view mail. The Efail vulnerability is not a cryptographic attack against the PGP encryption protocol as the EFF researchers originally reported; it's merely a common client side content rendering vulnerability. Savvy users of email clients would have already disabled scripts and other forms of active content when rendering and decrypting email.

Why Does it Matter?

-The way that Efail was presented is misleading, which brings into question the fame that is so readily and easily given to researchers who "responsibly disclose" vulnerabilities for the media attention. Who is validating their findings and checking their facts? Are we to believe everything we read?
ProtonMail tweeted this in response: "Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the story to @EFF and mainstream media and getting an irresponsible recommendation published (disable PGP), ignoring the fact that many (Enigmail, etc) are already patched."

-Beyond the recklessness of the research group, what about the media that covered the story? Journalists need to do some diligence before they report on these types of vulnerabilities and pass on advice that ultimately pushes users away from secure communications channels.

-Despite the hype of this one, the Efail vulnerability is entirely preventable without patches and can be safely mitigated in client settings with most common PGP clients.

We all face enough legitimate cyber security issues without adding more noise here. We can't go around encouraging consumers to turn off encryption in their email. That's just asking for a devastating 0day. Be careful what you believe.

About Synack (

Synack, the leader in crowdsourced security testing, provides real security to the modern enterprise. We leverage the world's most trusted ethical hackers and an industry-leading platform to find critical security issues before criminals can exploit them. Companies no longer have to choose between working with the best security talent and a lack of time, resources, or trust. Headquartered in Silicon Valley with regional offices around the world, Synack has protected over 100 global organizations by reducing companies' security risk and increasing their resistance to cyber attack.

For the original version on PRWeb visit:

View Comments and Join the Discussion!
Don't Miss Any Updates!
News Directly in Your Inbox
Subscribe to:
Benzinga Premarket Activity
Get pre-market outlook, mid-day update and after-market roundup emails in your inbox.
Market in 5 Minutes
Everything you need to know about the market - quick & easy.
Fintech Focus
A daily collection of all things fintech, interesting developments and market updates.
Thank You

Thank you for subscribing! If you have any questions feel free to call us at 1-877-440-ZING or email us at