Profile picture
Robert J. Hansen @robertjhansen
, 10 tweets, 2 min read Read on Twitter
Long thread. If you want to know the high-level details of the Efail attack, read. Yes, it was embargoed; yes, we were respecting the embargo; but links to the paper are now easy to get, so... here goes. 1/
This is at its heart a malleability attack on OpenPGP's cipher feedback mode. These attacks aren't new. The IETF OpenPGP Working Group first knew about them in 1999. By September 2000, GnuPG had a defense. 2/
The defense is called a Modification Detection Code, or MDC. Originally MDCs were optional. Today they're the default. The Efail attack requires an MDC either be missing or be invalid. 3/
You *can* manipulate a message with MDC into being one without MDC. The Efail authors are right there. So let's see what happens when GnuPG sees a message without an MDC.
As you can see in the last line, you get a very clear message. "WARNING: Message was not integrity protected."

After that, it's up to your email client to do the right thing. 5/
Your email client should refuse to render the message. If it ignores the warning or does the wrong thing in response to it, then yes, the Efail attack is very real. So it's really more fair to say this is an attack on poorly-written clients, not OpenPGP. 6/
The OpenPGP spec does technically allow for non-MDCed messages. It has to for backwards compatibility reasons. But no modern OpenPGP client should silently ignore missing/malformed MDCs. No modern email client should ignore the OpenPGP client's warnings. 7/
GnuPG has given warnings on missing/malformed MDCs for years. And although the Efail authors did find some problems in Enigmail -- for which we're deeply sorry, and plead that we're only human -- we fixed them months ago. 8/
If you're using a recent GnuPG and Enigmail 2.0 or later, you should be fine. If you're not, consider this an object lesson in the importance of upgrading your security-critical software. 9/
I encourage you to read the Efail paper. I've also shown you some GnuPG commands and outputs: please check me. As always, we welcome your feedback. If you're a trainer or working with vulnerable people, please DM/email with your questions. 10/10 (end)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robert J. Hansen
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!