I guess you've followed all the ruckus about #
EFAIL. What strikes me the most is that all the blame is put on PGP and S/MIME. They're declared faulty and broken to the point that the Electronic Frontier Foundation strongly advises all users to refrain from using them altogether.
What hardly anyone (outside of forums and comments sections of news outlets) says is that the problem is actually almost as old as e-mail itself: It's HTML mails that are to blame, HTML mails and the necessity of full-blown Web browsers within mail clients to display them.
That concept has been broken as long as it has been around. But it seems impossible to even reduce: Companies want their entire newsletters to appear in their corporate identity (to the point of having stylesheets, JavaScript and entire content management systems in e-mails), and they insist in shoving that CI into everyone's faces, thereby refusing to even add a text-only part. Non-geek users can't live without dolling up their mails like they doll up their Word documents (and like they shouldn't), and their providers (not like any of them use mail clients) support them with point-and-click, WYSIWYG editors that have HTML as a standard format.
But frankly, all that doesn't even
matter when it comes to #
EFAIL. None of these kinds of users encrypt anything. For non-geek users, both S/MIME and PGP are
way too complicated. Not only because they want automagic one-click, no-brainer, fire-and-forget solutions. Even many geeks find both too cumbersome, and I'm talking about geeks level "emerge world". And companies would encrypt their mails if a proprietary, closed-source, commercial, preferably Windows-only, definitely not fully cross-platform solution developed by a US-based IT corporation became the de-facto standard. These users aren't affected by #
EFAIL because neither PGP nor S/MIME even comes close to them.
It's only a few übergeeks who encrypt their mails. And I'm pretty sure that every last one of them has enough common sense and enough knowledge of the matter to neither send nor accept non-plaintext mails. At least not send them. These people aren't affected either because HTML mails don't come close to them.
So #
EFAIL only applies to a use case which in reality should be expected to never happen. Why all the commotion then?
It seems like it's really meant to get rid of PGP, especially OpenPGP/GnuPG, and S/MIME (p≡p isn't ready for productive use yet, otherwise it would have fallen victim to the same "bug"), encryption technologies that are next to impossible to crack within a reasonable amount of time, let alone to install backdoors in. No, really not. If the NSA bugs GnuPG, someone will fork it and remove the bug, and all GNU/Linux distributions will either switch to the fork (between releases if need be) or backport the bug removal into their GnuPG code. So if you can neither bug it nor ban it, discourage people from using it.
The problem with this scheme is that those who are smart enough to have generated their own OpenPGP key and use it are also smart enough to not fall for this scheme.
