PGP and S/MIME decryptors can leak plaintext from emails, says infosec professor
Users advised to stop using and/or uninstall plugins ASAP to stop Pretty Grievous Pwnage
Updated A professor of Computer Security at the Münster University of Applied Sciences has warned that popular email encryption tool Pretty Good Privacy (PGP) might actually allow Pretty Grievous P0wnage thanks to bugs that can allow supposedly encrypted emails to be read as plaintext.
Professor Sebastian Schinzel took to Twitter with the news early on Monday, European time.
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4— Sebastian Schinzel (@seecurity) May 14, 2018
A second Tweet warns “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”
Schnizel and his fellow researchers have alerted a few folks about the problem, among them the Electronic Frontier Foundation which has assessed his research and agreed that PGP has flaws.
An EFF advisory says “these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”
PGP admins: Kill short keys now, or Alice will become ChuckREAD MORE
“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email,” the EFF’s post said. It also name dEnigmail for Thunderbird, GPGTools for Apple Mail and Gpg4win for Outlook as worthy of disablement, and offers instructions on how to do so.
“Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email,” the advisory says.
Schnizel has promised full details on Tuesday morning at 0700 UTC. Reg operatives somewhere will be paying attention when he reveals all. ®
Updated to add
You can find out more about the vulnerabilities here, now that the embargo has lifted.