Are PGP and S/MIME broken?

EFF published this article today, causing massive panic among PGP and S/MIME users. EFF is referring to  a research paper that wasn’t even available when they published.

Shortly after, Werner Koch published a message saying EFF was overreacting.

After that, the original research paper became available. It says there is a vulnerabitlity in PGP and S/MIME software using HTML, CSS or X509 functionality. If you don’t use those, you’re safe, afaik. Also, the attack seems to be quite sophisticated, it’s not something any script kiddy would do.

It’s bad that encryption software is broken. But the media should not cause massive panic based on a document that is not available. EFF may have realized what was going on, but the media quoting EFF certainly didn’t. So don’t send out a message that something “is broken” if the actual situation is more subtle than that.

Leave a Reply

Your email address will not be published. Required fields are marked *