As Matthew Green, a noted cryptographer and Assistant Professor of Computer Science at Johns Hopkins Information Security Institute, notes, the attack meets at the intersection of "bad crypto" and the "sloppiness" of mail client developers. In particular, he warns, the flaws could be exploited at a corporate email level, provided an attacker had access to stored emails.

The real news here is probably about S/MIME, which is actually used in corporate e-mail settings. Attacking and modifying encrypted email stored on servers could actually happen, so this is a big deal. 4/

— Matthew Green (@matthew_d_green) May 14, 2018

Werner Koch, the author of GNU Privacy Guard, a.k.a. GPG, dismissed the research as “overblown” on Monday.

“The topic of that paper is that HTML is used as a back channel to create an oracle for modified encrypted mails. It is long known that HTML mails and in particular external links like <img href="tla.org/TAG"/> are evil if the MUA actually honors them,” Koch wrote in an email to the Gnupg-users mailing list.

“There are two ways to mitigate this attack
- Don't use HTML mails. Or if you really need to read them use a proper MIME parser and disallow any access to external links.
- Use authenticated encryption,” Koch continued.

Robert J. Hansen, an Enigmail developer and GnuPG volunteer issued a statement on behalf of the standard Monday morning, urging caution in how the paper is interpreted.

“You might be vulnerable if you're running an ancient version of GnuPG (the 1.0 series; the current is 2.2), or if your email plugin doesn't handle GnuPG's warning correctly,” Hansen wrote, “You might also have had some exposure in the past if back then you used a pre-2000 version of GnuPG, and/or an email plugin which didn't handle the warning correctly.

1. This paper is misnamed. It's not an attack on OpenPGP. It's an attack on broken email clients that ignore GnuPG's warnings and do silly things after being warned.
2. This attack targets buggy email clients. Correct use of the MDC completely prevents this attack. GnuPG has had MDC support since the summer of 2000.
3. The authors made a list of buggy email clients. It's worth looking over their list of email clients (found at the very end) to see if yours is vulnerable. But be careful, because it may not be accurate -- for example, Mailpile says they're not vulnerable, but the paper indicates Mailpile has some susceptibility. The authors have done the community a good service by cataloguing buggy email email clients. We're grateful to them for that. We do wish, though, this thing had been handled with a little less hype. A whole lot of people got scared, and over very little,” Hansen tweeted.

There are arguments on both sides of the coin when it comes to the flaws. As Hansen/GnuPG notes a user would have to essentially blown past GnuPG's MDC warnings to be exploited. Some experts questioned Monday whether email clients should really treat MDC failures as warnings, instead of errors.

No, in 2018 you don’t get to claim the high ground and blame users and implementations if your crypto API returns the plaintext on a decryption error.

At most you can say “sorry we are a legacy system, no one knew better then, it’s time to migrate off”.

— Filippo Valsorda (@FiloSottile) May 14, 2018

The idea that email clients should check for a “WARNING” message and abort is like the idea that they should supply special flags to curl to get it to check certificates.

No, gpg should do the right thing by default. It has one job!

— Thomas H. Ptacek (@tqbf) May 14, 2018

MDC, or Modification Detection Code, is a cryptographic hash function introduced in 2000, designed to prove a message's integrity.

For what it's worth the authors of the paper, a group of academics from Münster University of Applied Sciences and Ruhr University Bochum in Germany, and KU Leuven in Belgium, called on PGP and S/MIME users to either disable encryption in their email clients or disable HTML rendering as a means to prevent active content abuse.

The second option, especially for the more security conscious, could be an especially fine option. As Claudio Guarnieri, a Senior Technologist at Amnesty International and Advisor at Citizen Lab notes, it could leave users less susceptible to phishing attacks.

Regardless of this particular issue, disabling HTML rendering in your email client is good. Less exposure to these sorts of attacks, fewer risks of getting remote resources accidentally loaded that might leak information, and easier to watch for potential phishing links.

— nex (@botherder) May 14, 2018

The Electronic Frontier Foundation (EFF) echoed the researchers' sentiments and encouraged users to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email like Enigmail with Thunderbird, GPGTools with Apple Mail, and Gpg4win with Outlook.

ProtonMail, an end-to-end encrypted email service, took umbrage with the EFF's warning, calling it "overblown and disproportionate, and likely issued without fully understanding the issue," adding that the way the flaws were disclosed added insult to injury.

Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the story to @EFF and mainstream media and getting an irresponsible recommendation published (disable PGP), ignoring the fact that many (Enigmail, etc) are already patched.

— ProtonMail (@ProtonMail) May 14, 2018

ProtonMail, for its part, said Monday it was not affected by the flaws. The end-to-end encrypted email software Tutanota and Canary Mail, an email app with PGP for Mac and iPhone, also acknowledged their services weren't affected. Enigmail, as Hansen notes, patched the issues months ago.

"If you're using a recent GnuPG and Enigmail 2.0 or later, you should be fine. If you're not, consider this an object lesson in the importance of upgrading your security-critical software," he tweeted.

Keys image via Ozzy Delaney's Flickr photostream, Creative Commons