Carter Yagemann

Assistant Professor of Computer Science and Engineering at the Ohio State University with interests in automated vulnerability discovery, root cause analysis, exploit prevention, and cyber-physical security.

EFF and EFAIL: An Example of Hype Culture Gone Awry


I usually try to keep my blog posts technical and free of politics, but I can't hide my frustration over EFF's response to today's release of the EFAIL vulnerability.

If you haven't heard by now, EFAIL is the name of a vulnerability having to do with how email clients like Thunderbird handle PGP encrypted emails. This vulnerability allows a strong adversary to decrypt emails given that they have previously encrypted messages from a victim, can tamper with emails in-transit, and assuming the victim's client is configured to automatically fetch remote content.

I emphasize the word strong because any security researcher can see that these preconditions mean this attack is only a concern to individuals being targeted by nation-states. As many Slashdot users and companies like ProtonMail have pointed out, this vulnerability is over-hyped, blown out of proportion, and the course of action being loudly proposed is somewhere between draconian and moronic.

Unfortunately, it seems EFF is at the forefront of this crusade to misguide users. Within hours of the details being released, EFF published a blog post advising everyone to immediately stop using PGP. Since then, less than 24 hours later, EFF has published over 13 articles driving home the "crisis" and providing step-by-step tutorials on how to "take action" by disabling PGP and decrypting emails. It is impressive that EFF has managed to write so much about EFAIL in so little time.

As a security researcher, allow me to share a piece of wisdom echoed by many of my peers. The appropriate reaction to a vulnerability that can potentially decrypt emails is not to start sending messages in plaintext. Sane people don't erase their operating system because of a bug, disable their firewall because of a glitch, or stop using encryption because of a flawed implementation. Decide how big of a risk EFAIL is to you, come up with a plan for remediation based on that risk, and apply software patches when they become available. For most users, this boils down to simply continuing your good security habits. Disabling security in response to a bug is insanity.

Shame on EFF for over-hyping vulnerabilities and giving terrible security advice!