John and I watched the escalating reports of the death of e-mail encryption over the last several days with a growing sense of unease, as the facts were misstated and the conclusions seemed overblown. After an enormous amount of reading, John felt comfortable yesterday in putting out a blog post on this subject in his Your IT Consultant blog.
The Washington Post carried a balanced story yesterday morning noted that the security community had its own encryption debate after the discovery of the new encryption flaw known as Efail. In the end, I think it is reckless to tell people to stop using encrypted e-mail. The problem isn't with PGP or S/MIME but with the way e-mail clients have implemented it – and this can be fixed.
One of my blog readers was intrigued by the fact that I didn't jump on this news immediately. When stories like this break, and don't pass my personal 'smell' test, my inclination is to let the fire burn down a bit before coming to a rapid (and wrong) conclusion.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology