I am writing this because there is a lot of hyperbole about efail
Are GPG/PGP and S/MIME broken?
No. efail is an attack on the mail client. Not on the cryptography. Although there is some mussing with the cryptographic elements That would be very apparent, signatures would fail, etc.
Are my Private Key Compromised, Does this lead to a compromise of the keys?
No. This tricks email reading programs into sending the clear text of the message once it is decrypted back to the attacker.
Is my email program affected?
Maybe. Not all are. There is an excellent chat on page 11 of The official report
Should I disable/stop using GPG or S/MIME?
The real problem is HTML rendering in some email clients. Check the list Document mentioned above to see if yours is effected
Patches are coming on-line quickly so check that your E-mail client is up to date
If you are comfortable doing so turn off HTML rendering of E-mail. This will almost completely mitigate the issue. The researchers did not get a non-HTML rendered E-mail to be effected but they do suggest other more complicated things that MAY be able to do that.
Keep in mind that is a complicated Man-in-the-middle attack that requires the attacker to have access to your stored E-mails on the server or your computer or the ability to capture them in transit. This is not something generic hackers will be doing. It is something that Governments and places like the NSA will be interested in. If you are worried about them I'd strongly suggest making sure you are using a non-effected client and disabling HTML rendering.
But for the average person that isn't worried about nation states and spy agencies actively trying to get their stuff I'd say keep using GPG or S/MIME. Apply the patches as they become available. Turn Off HTML Rendering. or move to an unaffected client.
It's better to send encrypted and force people to work at decrypting it then just say fuck it and send everything in the clear and let them have it all with no effort.
The Bullet points
- The attacker must have access to your E-mails either on the server or in transit
- Not all email programs are effected
- Patches are coming quickly
- This is not a problem with the encryption. It a problem with the E-mail programs
- Turning off HTML rendering almost completely neuters this attack (except for some theoretical attacks)
- For the average person this is a low priority and easily mitigated attack.
- Take the appropriate precautions like moving to a non-effected E-mail reader, patching, plus turning off HTML rendering and keep encrypting.
I am writing this because there is a lot of hype, click bait and other stuff going on around Meltdown and Spectre. I want to put out the info in plain simple terms.
First and Foremost
Your computer is not broken or defective.
Intel DID NOT screw up.
The fact that Out-of-order Execution has been around since the '70s and in modern PCs since the mid '90s and the exploit is only now being found shows that this is a extremely clever, highly technical, exploit that builds on much more modern concepts like "CPU cache timing attacks for side channel leakage of information.".
There are software patches already on the way to mitigate the problem. The "performance hits" talked about are not well documented and as the mitigations improve any performance hit will be reduced.
Is it bad?
It is a serious issue. It is not the end of the world, or your computer, or the internet.
What is it?
Both techniques take advantage of a feature of many (not all) modern processors called Out-of-order execution. Which is a technique that most modern CPUs use to get things done more efficiently and faster.
It is NOT a technique to get code on your machine. It is a technique that code that has already gotten on your machine can use to access information that is usually protected.
Access to such information would let the code then bypass several other protections to gain more privileges or steal information from other processes.
What should I do
Breath. Relax. There is no evidence that these have been exploited in the wild yet. Patches/Fixes are coming online quickly.
Apply patches as they become available. Many people are working on ways to mitigate these problems.
What about all the noise.
Sadly this is the type of exploit that makes for great attention grabbing headlines and news coverage. But the facts are much more complex then the mainstream media want to cover. It is much easier to say "Every Intel Processor is effected but this bug." than "There is a highly technical side channel attack on processors that support Out-Of-Order Execution that leads to the leakage of privileged information. This would let them steal information or use information about the layout of system memory to use another advanced technique called Return Oriented Programming to gain full control of the system."