What the ‘Efail’ email breach is all about and what you need to do

Office for Mere Mortals helps people around the world get more from Word, Excel, PowerPoint and Outlook. Delivered once a week. free.

The so-called ‘Efail’ security bug affects Microsoft Outlook for Windows (among others) but only if you’re using a PGP encryption plug in like Gpg4Win and S/MIME.

what the efail email breach is all about and what you need to do 18786 - What the 'Efail' email breach is all about and what you need to do

The bug means that messages that should be encrypted can, instead, be viewed in plain text.

The current advice is to uninstall Gpg4Win. The EFF has instructions for disabling PGP/GPG in Outlook and Thunderbird (Windows) and  Apple Mail (Mac).

The good news is that most people don’t bother with encrypted email.  We agree with Josephine Wolff at Slate who wrote “The Most Shocking Thing About Encrypted Email Being Vulnerable Is That Anyone Still Uses Encrypted Email.

An alternative is what we’ve recommended for some time.  Use a secure messaging app like Signal.  Signal (or WhatsApp, that uses the same encryption system) can send attachments up to 100MB, more than enough for most MS Office documents.

Secure Email, please

We’d love to see some improvements to the email infrastructure.  There have been changes over the years, mostly partial measure to ensure ‘From’ domains aren’t faked by spammers.  Those measures called DKIM and SPF aren’t foolproof.

For individuals, existing email encryption systems are clumsy and difficult to use.  Microsoft ‘supports’ email encryption in Outlook for Windows but the feature is the bare minimum necessary.  It’s hard to setup and use, with Microsoft showing no interest in making it work any better.

It’s little wonder that people are using messaging apps like WhatsApp or better, Signal.  They’ve integrated encryption into their systems in a way that email hasn’t.

What’s needed is an Internet-wide standard for email encryption.  That’s technically possible but there’s considerable resistance from both companies and governments.   Companies like Microsoft don’t want a global standard because they’re making money selling their own (limited) and proprietary encryption options.  Governments already hate the solid encryption tech developed by Signal, you can imagine what the NSA/CIA/GCHQ and other intelligence services would think of easily encrypted email.

Want More?

Office Watch has the latest news and tips about Microsoft Office. Independent since 1996. Delivered once a week.