On Mon, May 21, 2018 at 08:51:17AM -0400, Robert J. Hansen wrote: >> That being the *incredibly* unhelpful and likely actively harmful >> recommendation to remove encryption and decryption functionality from >> vulnerable MUAs. > > I blame the EFF for that more than I blame the Efail developers. I > expect the people who develop new attacks to overstate their > importance: it's not out of any intent to deceive, it's just that > they're too close to the problem to have a clear perspective on the > user impact.
That is a good point and a fairly common situation; possibly the second most common form of engineering blindness (the first one being having a favourite tool and applying it to every problem regardless of relevance — when armed with one's favourite hammer, everything looks like a nail). > The EFF, though... Indeed … > But even then, I have some sympathy for their position. The EFF > works with many different activists in many different countries > running many different setups. They were in a difficult situation > of needing to put out a press release that had useful > recommendations for everyone, left no one out in the cold, while > still not raising a panic. Had their publications been limited to the articles on the 13th and 14th, I could buy that. Unfortunately the updates to the SSD website on the 15th really strain things, especially the FAQ. Not only is it potentially panic-inducing, but they recommend an approach of having end users campaign against using OpenPGP at all with all of their contacts with no regard for what additional circumstances those contacts have. They've literally created a FUD-virus as a meme which will self-replicate throughout the web-of-trust. I'm sure we'll be encountering people advising others not to use OpenPGP long after the last of those affected MUAs are patched and *that* is stretching the edges of the term reckless (as it is usually used in legislation, e.g. reckless endangerment of life as opposed to, say, wilful endangerment of life). I also don't believe they can actually fix this now that they've created it without a complete reversal of their current position; which they can't do because of the MUAs which are affected and some users could be targeted. By the time the conditions are such that they can consistently give the “all clear” on the matter, the FUD-virus will have spread too far and be too independent of them to stop (but will still gain credibility and traction by trading off their name and reputation). > Let me be clear: I think the EFF behaved irresponsibly. But I can > be sympathetic to their situation, too. It's not a one-or-the-other > thing. Sure; doing nothing and ignoring the affected MUAs does no one any good, but this response is likely to do more harm than the thing it's intended to stop and it didn't have to be that way. Not to mention the little matter that their sole recommendation of a viable alternative in all circumstances is a service which is entirely dependent on a centralised server (or network of servers). One which explicitly cannot be implemented in a federated manner and all attempts to fork it in order to do precisely that have been abandoned as a result of Moxie's opposition to them trying to connect to his network to communicate with Signal users. It's simply not a complete replacement in spite of EFF's wish that it is. It's a great addition to a suite of of services and tools, but relying on it as a replacement for OpenPGP is misguided (not to mention impossible for some people and/or networks and/or pseudonymity requirements). > And I'm going to remain quiet on this further until I have > time to see the EFF's postmortem. I won't going beyond the current statement describing it as reckless yet and I hope I don't have to. Perhaps they will be able to do some damage control in their own review. >> Indeed, this particular release may still succeed in producing a body >> count. I am not yet aware of any confirmed fatalities stemming from >> people panicking and stopping using crypto because they listened to >> Efail and/or the EFF, but there is one particular community I'm >> watching for just that issue right now. > > If I can help in any way, please let me know. Appreciated, but in this particular case it would probably be a crime for you to do so, at least directly to said group, whereas it's perfectly legal over here. It might depend a little on the interpretation of the First Amendment over there, though, and it is still possible that those laws are unconstitutional, but it's too early to know for sure yet and it doesn't look like there are too many organisations over there wanting to challenge it (yet). Regards, Ben
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users