back to article Zimmerman and friends: 'Are you listening? PGP is not broken'

ProtonMail has weighed into 2018's worst branded-bug PR disaster, EFAIL, with a simple statement: “PGP is not broken”. The discoverers of the bug in e-mail client encryption implementations started the ball rolling ahead of their disclosure in the middle of this month. Münster University professor Sebastian Schinzel started …

  1. john.jones.name

    they are right

    the EFF deserves criticism in this case and so do those who write insecure mail clients...

    I wonder if Microsoft is going to be patching their SMIME and HTML implementation ?

    1. sabroni Silver badge

      Re: they are right

      Surprise surprise! What's the story about? Pgp, various encrypted email providers, Thunderbird. Who does the first comment target? MS.

      Tbh it's not the knee jerk irrelevant ms bashing that irritates as much as the dumb upvotes for this facile whataboutery.

      1. doublelayer Silver badge

        Re: they are right

        While I get that the comment was a bit slanted against Microsoft, Microsoft was specifically mentioned to have an insecure client for this, and they need to fix it. In the interest of balance, I hope apple, Mozilla, and Microsoft all fix their clients immediately. Oh, and anyone else who is vulnerable; that's just the group mentioned in the article.

  2. Anonymous Coward
    Anonymous Coward

    Who could possibly gain

    from promoting misinformation alleging that a Secure Communications mechanism such as PGP is broken ?

    1. Grooke

      Re: Who could possibly gain

      Maybe we should all call the FBI. "No need to backdoor PGP, its broken"

  3. Frank Zuiderduin

    Werner Koch (a.k.a. mister GnuPG) already mentioned what was really amiss on the day the efail nonsense was released. And he was pretty much ignored by the media. Not sensational enough, I guess.

    1. Anonymous Coward
      Anonymous Coward

      > Werner Koch (a.k.a. mister GnuPG) already mentioned what was really amiss on the day the efail nonsense was released. And he was pretty much ignored by the media. Not sensational enough, I guess.

      Werner has been ignored by pretty much everyone¹ in the last twenty years or so that he has been, single-handedly, developing and maintaining GPG. That's just not right. :(

      ¹ To be fair, one or two of the big internet giants have been funding his work for the last couple of years now. But still.

  4. bolac

    Worst bug? Meltdown already forgotten?

    1. Archtech Silver badge

      Not bloody likely

      "Worst bug? Meltdown already forgotten?"

      They wish.

    2. Robert Carnegie Silver badge

      Not worst bug, worst brand.

      They don't like the name EFAIL.

      I'm waiting for some issue of timing accuracy to be codenamed NOTAPROBLEM. Try getting a budget to fix that.

  5. John Smith 19 Gold badge
    Unhappy

    Thinking. Email client --> file viewer --> Piece of P**s to write -->Anyone can do it.

    Turns out not to be correct.

    But the EFF's has not covered themselves in glory with this.

    It's a tough question. Do you state which clients you know are insecure and which ones you know are not? Or just tell people to avoid certain ones as otherwise you'd be endorsing all the rest?

    The nuanced answer would be "Disable HTML" and list those browsers that force you to use HTML.

    1. Paul Kinsler

      Re: "Disable HTML"

      Ah, but what if the browser also does speculative pre-fetch, and so loads things in the background, just in case you decide to re-enable?

      1. Martin Gregorie Silver badge

        Re: "Disable HTML"

        That's a bug in my books, because setting 'disable' should mean that the feature is disabled. Always. No exceptions.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Disable HTML"

          Not even "I changed my mind"? Always consider Stupid Users when you take UIs into consideration. They WAY outnumber you.

  6. Anonymous Coward
    Anonymous Coward

    Use PGP from command line then include in e-mail.

    Simple solution.

    PGP is not broken, the clients are idiots!

    1. Anonymous Coward
      Anonymous Coward

      Anyone who's not an expert in things I'm an expert in is an idiot!

    2. Charles 9 Silver badge

      Then you have to tune the clients for those idiots. They way outnumber you, AND You Can't Fix Stupid. That's always been the problem with things like PGP. They weren't made for the mass market, and without the mass market, you can't reach critical mass.

  7. J27 Bronze badge

    I feel like the core issue here is that the vast majority of people reporting on this sort of thing either don't understand how things like this work and/or have absolutely no time to look into things and just parrot whatever the last talking head said about it and the headlines get more and more hyperbolic.

    Most of the headlines for this story where "PGP is cracked, run for the hills!", which was really a fairly obvious exploit of some shoddily-made email-client (people still use these?) plugins.

    1. Calin Brabandt

      Ughh..but we don't know what we don't know!

      PGP may not be cracked in epidemic proportions but i would not be surprised if the NSA and other deep state thugs have already secretly developed quantum computing to the point that they can target and crack any encryption rather promptly, if so motivated. To make a more general prediction, I believe that just about any reasonable technology/weapon that one can imagine as being useful to their evil ends is also already available and in their hands or they are working on it!

  8. Mahou Saru

    Mutt is a man's best friend...

    Still my favourite MUA. Started using it years ago when I had to learn vi and kept using it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019