Sergey Nivens - Fotolia
In this week's Risk & Repeat podcast, SearchSecurity editors discuss the Efail vulnerabilities in PGP and S/Mime protocols, as well as the rocky disclosure process for the flaws.
The unveiling of the Efail flaws in encryption client software led to spirited debates about the rocky disclosure of the vulnerabilities and who, ultimately, was responsible for them.
The vulnerabilities, which were discovered by a team of academic researchers in Germany and Belgium, affect some client software that implements two popular protocols for email encryption in Pretty Good Privacy (PGP) and Secure Multipurpose Internet Mail Extensions (S/Mime). The Efail flaws could allow threat actors to obtain the plaintext of messages encrypted with the affected client software.
The researchers' technical paper pointed to faulty email clients rather than the protocols themselves, which sparked a debate about who was responsible for the Efail flaws. While some infosec experts argued the developers were on the hook, others such as Matthew Green, professor at Johns Hopkins University's Information Security Institute, criticized organizations like GnuPG for not taking a more active role in addressing the problem. Additionally, a broken embargo for the branded vulnerabilities led to questions and concerns about coordinated disclosure processes.
Was there an overreaction to Efail? Who takes the majority of the blame for these vulnerabilities? Did the Efail disclosure actually fail? SearchSecurity editors Rob Wright and Peter Loshin discuss these questions and more in this episode of the Risk & Repeat podcast.