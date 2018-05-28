Phil Zimmerman and ProtonMail criticise EFF's advice that users delete PGP to deal with EFAIL.

ProtonMail and the inventor of Pretty Good Privacy (PGP) have released a strong statement dispelling recent reports that the encryption program should be disabled because of alleged vulnerabilities.

The developers of the email encryption program, including its creator Phil Zimmermann, have come together to set the record straight, taking aim at the Electronic Frontier Foundation (EFF) for promoting advice that users disable PGP to deal with the EFAIL issue.

"EFF recommended that users disable PGP plugins or stop using PGP altogether. This is akin to saying, 'Some locks can be broken; therefore we must remove all doors.' This is particularly dangerous because it can put at risk individuals who rely on PGP encryption for security," Andy Yen of ProtonMail, PGP inventor Phil Zimmerman, Enigmail founder Patrick Brunschwig and Thomas Oberndorfer, founder of Mailvelopestatement, said in a joint statement.

The EFF promoted a research paper earlier this month from Professor Sabastian Schinzel, of Germany's FH Munster University of Applied Sciences, which claimed PGP and S/Mime email encryption had critical vulnerabilities.

The professor initially tweeted about the EFAIL issue, which he found exposes encrypted emails in plaintext, before alerting the EFF about the problem.

"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email," an EFF spokesperson advised at the time.

However, Zimmerman and his cohorts yesterday said such advice is misleading and potentially dangerous, as the EFAIL vulnerabilities are not flaws with the OpenPGP protocol, but are actually errors created during implementation of the program.

As an open standard, PGP can be implemented by anyone, which can lead to some security weaknesses, Zimmerman and the others said, adding that this does not mean that PGP itself is broken.

"Both our recommendations and EFF's require user action on the part of the sender and recipient of messages, but our recommendation provides better security," they stated. "If you receive PGP email, following our recommendations protects you from EFAIL, while still allowing you to easily decrypt PGP messages."

Their recommendation to combat the EFAIL vulnerability is for users to update their PGP software to the latest version and ensure that the user at the other end of the communication line is also using an unaffected implementation, or updated its PGP software, before sending any sensitive information.

Among the most commonly used software based on PGP, only Enigmail and GPGtools were vulnerable, but ProtonMail said the issues are easy to mitigate by upgrading Enigmail to version 2.0.5 and only use simple HTML or plaintext viewing models in Thunderbird.

If you use GPGTools, it is advised you disable loading remote content.