Efail: can email be saved?

The revelation that encrypted email is vulnerable to a variety of devastating attacks (collectively known as "Efail") has set off a round of soul-searching by internet security researchers and other technical people -- can we save email?

One way to think about Efail is that it was caused by a lack of central coordination and control over email-reading programs -- the underlying protocols are strong and robust, but they can be implemented in ways that create real problems. In particular, the ability to show HTML inside a message makes email very hard to secure: HTML is very complicated and powerful (it's come a long way since its early days as a toy language for laying out text in a window) and so it's hard to predict all the things an attacker might do with the HTML in their malicious messages.

If you think HTML has experienced feature-creep since its inception, just look at email: it has turned into a workhorse that does everything you can imagine inside a business, a family, or a group of friends. So in 2018, we have married a pluripotent programming language (HTML) to a universal tool used for all tasks (email) that has no oversight or control. It's easy to see how things have gone wrong.

But the email story is more complicated than that. Email is the last federated system standing on an internet that was designed to be federated. Where the net was once dominated by independently maintained, mutually interoperable services, it is now dominated by a handful of giant platforms, many of whom are committed to "walled garden" strategies that prevent users of their system from participating in their rivals -- think, for example, of how Instagram previews show up in Facebook, but not in Twitter.

Email is concentrated, too, of course: Google owns much of it through Gmail, but there are still millions of independently maintained mail-servers online. There's a reason that the backlash by media organizations against Facebook's dominance used email newsletters as the first line of defense. Email newsletters (in theory) allow you to reach everyone online without worrying about permission or interference from Facebook or Twitter or Google or Apple.

Email's federated nature means that it has less control -- federation and control are opposites. The current form of email gained popularity due to its willingness to abandon control. Before RFC822, there were innumerable attempts to make an authenticated email system that would prevent forgeries and positively identify senders, but these only worked if everyone who ran a mail server agreed to an extensive set of procedures to make sure that anyone who used the server had been affirmatively identified, with their email indentities linked to real-world identities. As we learned (again) in the Nym Wars, the concept of identity is slippery and fraught.

RFC822 didn't abandon the idea of identity -- it just added a placeholder that read, basically, "This part is hard, let's do it later." Setting aside the hard part let email grow and thrive, and by the time it was widely deployed, no one had any appetite for figuring out the possibly impossible identification problem.

As Katherine Myronuk famously noted, all complex systems have parasites: making email "complex" (that is, allowing maximum freedom for each member of the email federation decide how email would work for them) made it open to parasites (bad actors who exploited the looseness of the system to attack its members).

But federation is why email has outlived all its rivals, and why it continues to thrive. The idea that we can fix email by taking a secure-by-design platform like Signal or Wickr and expanding it to the point where it fulfills all the email-like functions is hard to credit: adding that degree of complexity to those systems will introduce the same kind exploitable ambiguities that led to Efail.

At the same time, expanding secure, centralized platforms to replace email as the primary means by which communications take place will make it very easy for oppressive states, griefers and criminals to attack messaging, by giving them a simple, one-stop shop that, if hacked, will give them the power to disrupt or spy on everything.

I don't know exactly what the answer is. I hate HTML in email (I keep it turned off) and there's a lot of functionality I won't use email for (if you want to set up an appointment with me, tell me what time and date and I'll enter it into my calendar -- I won't click on your "calendar invite"). But I don't know how we would mandate that the people who design email programs should turn off these features without imposing central control over email that would erode its security value as being hard-to-control and so flexibly useful that even trying to control it would impose a high cost on the authorities every bit as much as the people they are controlling.

Attachments on email, again an extension of what email is able to do created with MIME, are the other major source of computer insecurity. You click on something because you want to look at it, but that’s the wrong metaphor. What you’re telling your MIME-enabled email client to do is run this thing in the form that the creator of the email designated. If you don’t know that it was designed to run code, and that code takes over your computer, you might not know that clicking on an attachment just gave control of your computer to someone else. You might never know.

The lesson of Efail is that you can build everything well, but if you’ve built on a bad foundation, there’s no structure strong enough to stand. No one is responsible for email itself, and in the days since the Efail disclosure people have been pointing fingers at each other—email clients, vendors, OpenPGP standards, and S/MIME software vendors. It’s no one’s fault and it’s everyone’s fault. These kinds of disclosures, and the hacks built on the flaws of email, will keep coming for the foreseeable future.

“Email clients don’t have to be this bad,” says Green. Our interview was over the encrypted message application Signal. How does email get better? “If we’re talking about real people, then we’re using it ... The path goes through Signal and WhatsApp and Wire and Wickr to someone doing a corporate product with email-like interface features.” All of these tools use a much more modern encryption scheme, secure and authenticated from the start, and implemented with care. They aren’t flawless, but they aren’t crippled by design the way email was. They are meant for a network of strangers and are built to be suspicious of malignant forces.

Email Is Dangerous [Quinn Norton/The Atlantic]

(Image: Bill Ward, CC-BY)