PGP encryption isn’t dead, despite the panic over EFAIL

ICIJ relies on PGP encryption every day, so we’ve been watching the EFAIL vulnerabilities debate closely. Is PGP dead? We don’t think so.

At the International Consortium of Investigative Journalists, we rely on PGP encryption every day to secure our sensitive communications and data. So, it caught our attention when security researchers in Germany found vulnerabilities with specific implementations of PGP that they dubbed EFAIL.

Pretty Good Privacy, or PGP, is an encryption software developed in 1991 by Philip Zimmermann as a human rights tool for sending secure messages or files over the internet. Following PGP’s release, Zimmermann was targeted by the U.S. government for distributing cryptographic software across borders, but the case was dropped in 1996.

There are very few alternative encryption methods for email that are as effective as PGP.
Pierre Romera

PGP works by assigning each user a randomly-generated public key and a private key that are unique and unreadable. To send someone data using PGP, the recipient must have access to your public key.

Data comes in many forms, from emails that use Internet Message Access Protocol (IMAP) to be transmitted over the internet, to  videos and other large files that can be shared using File Transfer Protocol, or FTP. When a user wants to send these files, PGP uses the receiver’s public key to encrypt or lock the data. The data is secure during transmission and can’t be accessed. Then the receiver uses a personal private key to decrypt (or unlock) the data.

PGP explainer
Image courtesy of OpenPGP.

The EFAIL vulnerability isn’t a problem with the PGP protocol itself; instead it concerns the systems that automate the decryption process for users.

University of Münster researchers found the plaintext of the encrypted emails was vulnerable to attackers when combined with HTML content in an email. The plaintext could be siphoned out through hyperlinks connected to the internet and exfiltrated, or transferred without the owner’s permission.

“The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim,” the EFAIL researchers explain. “The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.”

Common add-ons used to enable PGP encryption with email clients like Apple Mail and Mozilla Thunderbird were vulnerable to this type of attack, but most major tools have now patched these vulnerabilities and just require the user to update the software to complete protection.

Pierre Romera, the chief technology officer at ICIJ, sent out a warning to ICIJ staff and members as soon as the vulnerability was made public. His primary recommendation was simple:

“Having HTML enabled in PGP email is not a good idea, and that’s why the first step to make sure you’re not exposed to any risk or attack, is to deactivate HTML in your email and deactivate external content.”

But the discovery of EFAIL exacerbated concerns over the 27-year-old PGP protocol. In May, Wired UK declared “PGP is dead” in a piece criticizing its age and user-unfriendliness. The Electronic Frontier Foundation, or EFF, suggested readers use “alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.”

Zimmermann held his ground in the face of the unease worming through tech circles. Alongside the founders of ProtonMail, Mailvelope and Enigmail, the cryptographer took aim at EFF in particular:

“EFF recommended that users disable PGP plugins or stop using PGP altogether. This is akin to saying, ‘Some locks can be broken; therefore we must remove all doors.'”

ICIJ’s tech director appears cautious but confident in PGP’s security. Romera said he doesn’t believe a messaging app like Signal or Whatsapp will replace the practicality of the email encryption tool.

“We’re not going to drop PGP for a very good reason; it’s the best way to ensure our [email] communications are safe,” Romera said.

“There are very few alternative encryption methods for email that are as effective as PGP.”

FinCEN Files

Lessons from award-winning FinCEN Files and Luanda Leaks investigations

Jul 23, 2021
European Parliament and EU flag

EU to propose watchdog to tackle anti-money laundering failures exposed by FinCEN Files

Jul 16, 2021
Protesters in London outside the Chinese Embassy

As global pressure over human rights abuses in Xinjiang picks up, China remains defiant 

Jul 15, 2021

On the decline since Panama Papers, Malta punished for dirty money reputation

Jul 08, 2021
Isabel dos Santos and Sindika Dokolo

Dutch court sides with report calling dos Santos-linked energy deal an ‘act of corruption’

Jun 28, 2021

Facing global pressure, UAE to begin fining violators of new corporate transparency rules

Jun 21, 2021
ICIJ is dedicated to ensuring all reports we publish are accurate. If you believe you have found an inaccuracy let us know.