 Hi, I'm Danny O'Brien. I'm the International Director here at the Electronic Frontier Foundation And I'm joined by Erica Portnoy, who's a staff technologist and we're going to talk about today's PGP news Erica, before we start, where does PGP fit? I know people always think about it as this tool that people use to protect their communications But what kind of communications and what does it do? So PGP is specifically used for encrypting your email, that is end-to-end encryption So if I want to make sure that only me and you can read messages, PGP is the tool that does that And that's because most email actually gets sent in the plain text so anyone could like look at it Who might have access between the person that's sending it and the person who's trying to communicate That's right. When I send you an email it will go over the internet, go through various servers Go through the network before it finally gets to you, which means that various intermediaries will have access to the contents of that email If it's not encrypted So for almost 30 years now PGP has been a bit of software that was written so that people who were particularly concerned About protecting their email from surveillance, particularly from even powerful actors like governments and states They could run the software, they'd sort of take their message and their email client would secure it, encrypt it And also sort of sign it so that people knew that it was from them And so it's like kind of a plug-in or an add-on on top of your normal email system, right? Yeah, and PGP is one of the most manual systems that we have So if you're very worried about an attack or very worried and want to make sure that the person you're talking to is actually who you think you're talking to PGP gives you lots of ways to check that that's the case Right, and it's got a kind of a reputation for being tricky to use because it's pretty old software It's the kind of thing that you see people typing on terminals and things like that But if you really need that kind of protection you'll spend some time learning to use it and be safe, right? Yeah, it wouldn't be out of place in a hacker movie and it is hard to use But once you do learn to use it you get all those benefits So PGP stands for pretty good privacy which is kind of, you know, ironic sarcastic kind of way of describing it But what we've seen today is this paper that actually says that there's a pretty serious flaw in PGP if you use it for email So can you in really simple terms explain what that flaw might be? Yeah, so this vulnerability has to do with the fact that PGP was created 30 years ago and it used the top-end encryption for that time But turns out that one of the things that you need for encryption is integrity That means when you send me an email I want to be sure that nobody modified the message along the way PGP doesn't necessarily require that always There's a specification called OpenPGP which is actually an internet standard that many of the most common PGP tools implement So when you implement the standard you can make some choices about how you receive incoming mail And essentially if you add an integrity check, what do I do if the integrity check fails? Should I show you the message anyway? Many mail clients ignore this integrity check and show you the message anyway So that just means that if somebody is messed with the message you're going to see a garbled message Yeah, well that's the problem The problem is that in the type of encryption called CBC mode encryption that PGP uses Good use of three-letter acronyms In this type of encryption it doesn't scramble the entire message It only scrambles a little bit of the message And what this particular paper does is it finds a way to exploit that It changes around the message in a way that it knows it is able to And it essentially injects these exfiltration channels directly into the message Okay, so exfiltration Yeah, the exfiltration is the fancy way of saying that I can take it from your machine and send it over to my machine So let me get this straight So what we have is somebody sends you an email and it looks like super secure It's PGP encrypted, but industry standard or whatever Your email client decodes it because they usually do that automatically And inside there's like a surprise because someone's messed with it What's in the surprise? Yeah, your hidden email surprise is what looks like a perfectly normal email to you But on the back end it's automatically sending the contents of the message to somebody else, an attacker But the person already knows the content of the message because they've sent it to you, right? Oh, that's the problem The problem is that you can use it for any message that's ever been encrypted So essentially you sent me an email two days ago An attacker gets a copy of the encrypted version of that email and sneaks it into an email that the attacker just sends to me today Right, and I'm decrypting any email that comes to me because the whole way that PGP works is people make it so that only I can decrypt it So I'm like, this is great, I can decrypt everything But I'm decrypting this message that has a message that I don't want someone else to see Decrypts that and then uses some trick to actually send that to the attacker Yeah, one of the examples that the paper gives is it'll put it directly into an image tag So when you're viewing an email that has an image inside of it, it fetches that image from a remote server And to get that image, your mail client will automatically, behind the scenes, go to a particular URL Now, if that URL is on the attacker's server and instead of saying, hey, I want this particular image like cats.gif It'll say, hey, I want this particular image, entire contents of your previous encrypted message Oh, so it's just sneaking it out, that's the exfiltration Alright, so this sounds pretty serious because the people who use PGP really don't want their messages decrypted in that way And then send out to a remote attacker I guess I've got two questions One is what kind of person could actually use this right now to attack someone who's doing that And by attack, like this is actually a technical term which means not like attack attack But that's what we call people who are trying to break systems like this So who could do that? And what can PGP users right now do to defend themselves against this attack? Yeah, that's the trouble, the trouble is that essentially anyone can do it Reading this paper, I was shocked at just how easy it is to exploit this vulnerability Okay, but they need to have a copy of that previous email that they want to decrypt Exactly, so if I am a malicious sysadmin for example And I have a copy of your encrypted emails sitting on a mail server Or if I hack into a mail server and get those emails, I could do it Or a government who's just listening in to everything Yeah, if it was encrypted over the network, if you were using Start TLS for example Which just encrypts between servers, then... Okay, that's a little... There's a lot of different threat models But essentially if you have a copy of the PGP encrypted email We previously thought that that meant that nobody else could see it But it turns out that that's all you need to exploit this Okay, so now people are like, okay, I'm worried now Is there something people can do apart from just running around panicking? The thing that people need to do today is they need to either disable Or uninstall their PGP plugins for their mail servers Okay, so this is breaking the link between PGP which is doing the decrypting And the email client there that can read HTML, read fancy emails And could be used to send this data around Exactly, the specific problems that we know about that are most easy to exploit right now Are when it gets passed from your PGP software to your email software Okay, I have a question, so I use PGP because I'm old school that way I have old emails that are encrypted in PGP And I read them in my email client, like how do I... If I break that link, how can I read my old emails? So we're going to be putting out a guide for all the steps that you'll need to do The best thing that we can say right now is to use the command line tool called GPG Which is the heart of PGP, that's the thing that GPG is And the command line going back to when we describe this as being what people do in a hacker movie It's going to be tricky, right? But I also imagine that people are going to work on tools to make this easier Yeah, so there are patches being written right now to broken mail clients That hopefully we'll see coming out within the next few weeks is what we're hoping to see But those just aren't out yet so we don't know Ideally you'll be able to put this patch into your machine And then decrypt all your old emails It'll still be pretty dangerous to get new emails though Now that everyone knows about this vulnerability You're already taking a risk just by decrypting it at all Because I just talked about one particular exfiltration channel You can, the rest of them are just limited by your imagination Not my imagination, by hackers imagination So okay, got this Don't use PGP for now Turn it off on email Wait for people to give us some guidance as these patches go on I still need to talk to people Do I just send like emails? Do I just switch to the old email system? You're laughing at me No, that's if you want to remove any protections that you have You can just send it over an unencrypted email But I assume that's not the case you're talking about No Presumably you actually want to send encrypted messages I want to send something securely And so you should probably use one of the many other tools out there For example, Signal is an end-to-end encrypted messaging tool That is cross-platform and will fulfill many of your email needs Signal, most people use it on a mobile phone There's a desktop app, I use that But it's more like an instant messaging thing rather than an email It is skin to look like an instant messaging app Rather than an email client But it does all the encryption that PGP did and more You can send attachments Okay, so that's what I want to do if I want to communicate securely We are expecting stuff to come in and help people But right now it seems to me that this is like when The World Health Organization or the CDC says Like there's this bad thing happening and for now Like wear a mask or like separate Don't eat the lettuce So right now It's very dangerous right now to go around decrypting emails Because essentially what this shows is that how easy it is To use the fact that you're reading an incoming message As a decryption oracle to give the contents of any old encrypted message away So the thing that you would normally use to send secure messages Is now a way that attackers can use stuff Decrypt those messages and like pull them out and send them Any old message forever The second you read any new incoming message might just be Revealing the contents of old messages Okay, thank you for that less reassuring But I mean there are some things people can do And we're going to continue putting information up on eff.org As we get new bits of information But for right now cut that link between your email system And PGP if you use it Use alternative end-to-end encrypted systems Like Signal and we can point to other tools We have a site called Surveillance Self-Defense ssd.ef.org Which can explain other tools that you can use And keep up to date Find out what's happening We'll hear stories and reports in the news But the people to really listen to Are the people that provide your email client And we'll be sending out updates And as here at the Electronic Frontier Foundation We're going to keep on this And we're going to keep on sending messages To let you know what the safest and secure thing you can do To protect your email And those of your friends and colleagues Erica, thank you very much Looking forward to finding out more