I guess you've followed all the ruckus about #EFAIL
. What strikes me the most is that all the blame is put on PGP and S/MIME. They're declared faulty and broken to the point that the Electronic Frontier Foundation strongly advises all users to refrain from using them altogether.
What hardly anyone (outside of forums and comments sections of news outlets) says is that the problem is actually almost as old as e-mail itself: It's HTML mails that are to blame, HTML mails and the necessity of full-blown Web browsers within mail clients to display them.
But frankly, all that doesn't even matter
when it comes to #EFAIL
. None of these kinds of users encrypt anything. For non-geek users, both S/MIME and PGP are way
too complicated. Not only because they want automagic one-click, no-brainer, fire-and-forget solutions. Even many geeks find both too cumbersome, and I'm talking about geeks level "emerge world". And companies would encrypt their mails if a proprietary, closed-source, commercial, preferably Windows-only, definitely not fully cross-platform solution developed by a US-based IT corporation became the de-facto standard. These users aren't affected by #EFAIL
because neither PGP nor S/MIME even comes close to them.
It's only a few übergeeks who encrypt their mails. And I'm pretty sure that every last one of them has enough common sense and enough knowledge of the matter to neither send nor accept non-plaintext mails. At least not send them. These people aren't affected either because HTML mails don't come close to them.
only applies to a use case which in reality should be expected to never happen. Why all the commotion then?
It seems like it's really meant to get rid of PGP, especially OpenPGP/GnuPG, and S/MIME (p≡p isn't ready for productive use yet, otherwise it would have fallen victim to the same "bug"), encryption technologies that are next to impossible to crack within a reasonable amount of time, let alone to install backdoors in. No, really not. If the NSA bugs GnuPG, someone will fork it and remove the bug, and all GNU/Linux distributions will either switch to the fork (between releases if need be) or backport the bug removal into their GnuPG code. So if you can neither bug it nor ban it, discourage people from using it.
The problem with this scheme is that those who are smart enough to have generated their own OpenPGP key and use it are also smart enough to not fall for this scheme.