Are PGP and S/MIME broken?

EFF published this article today, causing massive panic among PGP and S/MIME users. EFF is referring to  a research paper that wasn’t even available when they published.

Shortly after, Werner Koch published a message saying EFF was overreacting.

After that, the original research paper became available. It says there is a vulnerabitlity in PGP and S/MIME software using HTML, CSS or X509 functionality. If you don’t use those, you’re safe, afaik. Also, the attack seems to be quite sophisticated, it’s not something any script kiddy would do.

It’s bad that encryption software is broken. But the media should not cause massive panic based on a document that is not available. EFF may have realized what was going on, but the media quoting EFF certainly didn’t. So don’t send out a message that something “is broken” if the actual situation is more subtle than that.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s