Yes, there’s an email encryption vulnerability; no, you (likely) don’t need to freak out

Cybersecurity

PGP

European security researchers have released a warning regarding a vulnerability in PGP and S/MIME, a form of encryption used in email. While the researchers and the Electronic Frontier Foundation recommend that users of the technology disable it, this likely affects few law firms.

The vulnerability, which is being called “EFAIL,” regards a series of vulnerabilities that allow an attacker to send a malicious email that can expose email contents. It does not affect all encryption or emails.

A post on EFF’s website says that users of PGP, which stands for “Pretty Good Privacy,” should “pause” their use until the vulnerability is fixed. EFF provides walk-throughs on their site to disable PGP for Apple Mail, Outlook and Thunderbird.

“These steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community,” wrote EFF.

While the vulnerability is capturing headlines online, some in the security world thinks the concern over EFAIL is overblown.

“[The researchers] figured out mail clients which don’t properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation,” GNU Privacy Guard said on Twitter.

In 2017, the ABA Standing Committee on Ethics and Professional Responsibility released Formal Opinion 477 on “Securing Communication of Protected Client Information”. Specifically, Comment 18 to Model Rule 1.6(c) called for a “fact-based analysis” of whether or not to use a particular type of security protocol, which “means that particularly strong protective measures, like encryption, are warranted in some circumstances.”

READ  ABA launches clemency information clearinghouse for death penalty cases

PGP is popular with journalists, activists and whistleblowers, but the legal community has been slow to adopt the technology originally released in 1991.

Keith Lee, the founder of a LawyerSmack, an online legal community, says: “The most [lawyers] are doing is using GSuite or some equivalent and relying on that in transit encryption, but are rarely (if ever) actually encrypting the text/content of emails.”

Asking his online community if any of the members use PGP, responses ranged from “LOL, no” to “Most don’t even know what that is” to a member saying he set up PGP, but no client has ever wanted to use the encryption option.

According to the ABA’s 2017 Legal Technology Research Survey, 36.4 percent of responding firms and solo practitioners used some form of email encryption. Larger firms, those with over 500 lawyers, were the most likely to use encryption at 61.3 percent. Solos were the least likely to use the technology at 24.4 percent. The survey does not mention the type of encryption used by these firms.

EFF recommends using Signal by Open Whisper Systems while the PGP vulnerability is being fixed.


Be Sociable, Share!
FacebooktwitterredditpinterestlinkedintumblrFacebooktwitterredditpinterestlinkedintumblr

Follow Us!
FacebooktwitterpinterestlinkedinyoutubeFacebooktwitterpinterestlinkedinyoutube

Author: Edward Lott

Edward Lott, Ph.D., M.B.A. is president and managing partner of Allentown-based ForLawFirmsOnly Marketing, Inc., a local search and digital marketing agency that offers clients lead generation, local seo and Google Maps Domination. Ed has been a digital entrepreneur since 1994, having discovered very early the opportunities the Internet offered. After having spent over two decades helping attorneys grow their practice, Ed joined the staff of ForLawFirmsOnly Marketing as President and Managing Partner, where he is expanding the agency’s cutting-edge services to the legal market. A true marketing futurist, Ed's vast experience working directly with attorneys has given him a unique perspective on law firm marketing not found in many other digital marketing agencies. Ed has reshaped the offerings of ForLawFirmsOnly to focus on growing law firms through a holistic approach to digital marketing evident in the reformulated lead generation processes now in place. Want to learn more about ForLawFirmsOnly Marketing, their lead generation programs, or just talk to Ed about his visions for helping law firms grow? Call him at 855-943-8736.

Scroll Up