Skip to content, sitemap or skip to search.

Personal tools
Join now
You are here: Home Bulletins 2018 Fall Why we still need GnuPG

Why we still need GnuPG

by Andrew Engelbrecht Contributions Published on Nov 12, 2018 12:01 PM
The use of GNU Privacy Guard (GPG) encrypted emails is important for political dissidents, journalists, whistleblowers, and those who need to protect the privacy of their messages. GPG is an essential tool for securely encrypting and signing communications, to mitigate surveillance and impersonation. For some people, their very life, and the lives of those they love, are at stake, so ensuring that their communications are secure is critical.

Even for those of us who do not have this level of need, we should still aim to not simply hand over our private information to whichever surveillance states and email service providers happen to be recording our communications. In addition, ordinary everyday use of GPG helps to provide cover for those who need it most. The FSF created the Email Self-Defense Guide at emailselfdefense.org to expand the practice of email encryption.

In May 2018, efail.de announced a vulnerability, dubbed EFAIL, for some email clients that use GPG or S/MIME to decrypt encrypted messages. S/MIME is an encryption scheme that relies upon a certificate authority instead of peer to peer key signing. In the case of GPG encrypted emails, the vulnerability was not in GPG itself, but rather in the way that some email clients decrypt messages that would allow attackers to embed such messages in the context of maliciously crafted HTML code. After decryption, loading HTML elements or clicking on links could then exfiltrate that data to remote servers. Some users could work around this problem by disabling HTML rendering of emails, because without loading HTML elements, the data could not be exfiltrated. However, for S/MIME users, disabling HTML rendering alone was not entirely secure. Some GPG users remained at risk, because Apple's proprietary email client doesn't allow disabling HTML rendering of emails.

The Electronic Frontier Foundation (EFF) published an article about the vulnerability, drawing attention to the problem, and controversially recommended that people stop encrypting and decrypting emails within their email clients until the issue was resolved. Since that time, all known attack vectors have been patched and resolved in Icedove and Thunderbird, as well as Enigmail, which is a GPG encryption and decryption plugin for those email clients. As far as EFAIL is concerned, using GPG with Enigmail should be safe, as long as you and the people you are corresponding with are using the latest version of the plugin and email client. Even if there are more unknown attack vectors, we still believe that people should use GPG to protect their email and to provide coverage for those who depend on it the most, with the caveat that the right answers here may differ for people who believe they are or may be individually targeted by well-resourced surveillance.

For added safety, you should still disable HTML rendering in your email client. Disabling HTML rendering of emails should reduce the attack surface of your email client if future vulnerabilities are discovered. While disabling the automatic loading of external HTML assets, another common feature, will help to protect your IP address and other information, it is not sufficient to mitigate EFAIL alone, because loading assets manually remains possible, and is therefore insecure.

Another preventative measure that is not strictly necessary, if you are using the latest version of Enigmail and your email client, is to copy and paste links into a text editor and to eyeball them before following those links. If you use another email client, you should check the project's Web site, or contact one of its maintainers, to see how well it's mitigating known attacks against GPG encrypted email.

The EFAIL vulnerability is just another demonstration of the benefits of free software: GPG and Enigmail are free software, and their source code is available to be audited by anyone, so researchers can find security holes and fix them. Researchers who find issues and write patches may share them freely with everyone, and those patches may also be audited by anyone who knows how. On the other hand, if you use proprietary software, like Apple's bundled email client, you may have to deal with antifeatures that compromise your security when opening encrypted email, and you are left unable to write and share patches to that proprietary software.

This attack requires that we reach out to our friends to let them know how to secure their email communications, because both the past senders and recipients of encrypted emails are potential targets of this attack. If you are new to GPG email encryption, using GPG to encrypt your emails is quite easy, and emailselfdefense.org contains a step-by-step guide to get you started.

Document Actions

The FSF is a charity with a worldwide mission to advance software freedom — learn about our history and work.

fsf.org is powered by:

 

Send your feedback on our translations and new translations of pages to campaigns@fsf.org.