A "serious" flaw has been found in PGP and S/MIME email encryption

EFF Discovers Email Encryption Flaws

EFF Discovers Email Encryption Flaws

According to the Electronic Frontier Foundation, users must look for alternatives to PGP or S/MIME and turn off any software that automatically decrypts email encrypted with PGP.

Security researchers in Europe discovered the security flaws, posting on Twitter about the issue. Email protocol was never built with security in mind.

Whilst most email is sent unencrypted, many businesses and people rely on S/MIME and PGP encrypted email communications to talk in private.

Most details are available over on the official site, but researchers added that Apple Mail, iOS Mail and Mozilla Thunderbird are the worst affected as they have "even more severe implementation flaws allowing direct exfiltration of the plaintext that is technically very easy to execute".

The group of researchers plan to publish their research paper with details about the vulnerability on Tuesday.

"In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs", researchers explained.

In this scenario, attackers send a "changed encrypted email" to the victim.

More news: Lost asteroid to fly between moon and Earth tonight
More news: Facebook Is Blocking Foreign Ads Relating to Ireland's Abortion Referendum
More news: Theresa May promises to 'deliver the Brexit people voted for'

The target's email client processes the email.

Security researchers have gone public with vulnerabilities in some secure mail apps that can be exploited by miscreants to decrypt intercepted PGP-encrypted messages.

However, Werner Koch, free software developer and author of the GNU Privacy Guard, posted information on Monday which claims the warnings from EFF are "pretty overblown". If it's not, GnuPG returns an alert.

End-to-end encryption is used specifically to secure emails that have been compromised in those manners. That's because EFAIL can be stopped by using authenticated encryption; OpenPGP started to support authenticated encryption in 2001.

Yet others take issue with that line. "At most you can say 'sorry we are a legacy system, no one knew better then, it's time to migrate off'". It is one of the standard encryption program tools used for signing MIME data. However, they also call for an updated to OpenPGP and S/MIME standards, so the vulnerabilities can be closed.

EFF's recommendation: If you use PGP or S/MIME, disable them, and uninstall the tools that decrypt them. "It seems to not be easily reproducible in all cases". Some have criticized the researchers for teasing the vulnerability before publishing their full paper on it, while others have jumped straight to disabling PGP in their email clients. In the meantime, they are recommending that users stop using OpenPGP and S/MIME for now.

Cluley also pointed out that it is not a new problem - the root problem of mail clients attempting to display corrupted S/MIME messages has been known about since 2000.

Recommended News

  • Torra fails first vote to become new Catalonia leader

    Torra fails first vote to become new Catalonia leader

    Torra's election by the regional parliament paves the way for a new government in Catalonia after months of political limbo. He additionally vows to ascertain a constituent meeting to put in writing the structure for a Catalan republic.
    Bangladesh celebrates Bangabandhu Satellite-1 launch as its space ambitions take flight

    Bangladesh celebrates Bangabandhu Satellite-1 launch as its space ambitions take flight

    The much-awaited launch had to be pushed back nearly 24 hours, until the next launching opportunity became available. Space X tweeted: "Successful deployment of Bangabandhu Satellite-1 to geostationary transfer orbit confirmed".
    Nawaz Sharif admits Pakistan's role in 26/11 Mumbai attacks

    Nawaz Sharif admits Pakistan's role in 26/11 Mumbai attacks

    Former Pakistan Prime Minister Nawaz Sharif has tacitly admitted that Pakistan played a role in the 26/11 Mumbai terror attacks. Six heavily armed terrorists from Pakistan attacked the Pathankot Air Force station in the early hours of January 2, 2016.
  • Fuel prices reach record highs, diesel prices highest in 56 weeks

    Fuel prices reach record highs, diesel prices highest in 56 weeks

    In the last few days, if you look at petrol prices for nearly 20 days, they were nearly unchanged across the country. It is worth mentioning since June 16, 2017, prices of petrol and diesel are being revised daily.
    Macbook users sue Apple

    Macbook users sue Apple

    While Apple never acknowledged the flaw in public, it did encourage users to clean their keyboards with a can of compressed air . However, that MacBook Pro is limited to the non-touch-bar version and only those produced between October 2016 and October 2017.
    Antonio Conte: I 'wasn't able to convey that determination' to Chelsea players

    Antonio Conte: I 'wasn't able to convey that determination' to Chelsea players

    Newcastle boss Rafael Benitez has challenged his players to end the season with the victory over Chelsea he believes they deserve. Chelsea midfielder Tiemoue Bakayoko would be "disappointed" to see head coach Antonio Conte leave the club this summer.
  • Storms Possible Late Monday Into Tuesday

    Storms Possible Late Monday Into Tuesday

    The front moving through tomorrow that will fire up these storms will also have much drier and cooler air behind it. Around 6:15 p.m. weather service radar showed a possible tornado rotation and forecasters issued a Tornado Warning.
    American Idol 2018 Recap: Top 3 Contestants Revealed

    American Idol 2018 Recap: Top 3 Contestants Revealed

    Her power worked the crowd, and the judges, just enough for Luke Bryan to even claim Barrett as "Carrie Underwood reincarnated". The ABC singing competition will be in the Steel City on May 15 to film a hometown celebration for finalist Gabby Barrett .
    Delhi witnesses trees uprooted, slower traffic amid huge thunderstorm-rain

    Delhi witnesses trees uprooted, slower traffic amid huge thunderstorm-rain

    Another two people were killed and 18 were injured in the Indian capital, New Delhi , the Press Trust of India news agency said. The dust storm interrupted a programme that Delhi Chief Minister Arvind Kejriwal was to attend at IP Extension.
  • Pradhan calls UAE 'reliable partner of India'

    Pradhan calls UAE 'reliable partner of India'

    Adding to this, the strategy is expected to add more than 15,000 jobs and contribute an additional 1% to GDP per year. Abu Dhabi , which holds most of the United Arab Emirates' oil, already sells most of its crude to Asian nations.
    It's not easy to say goodbye, says Wenger

    It's not easy to say goodbye, says Wenger

    Arsenal manager Arsene Wenger on his protracted farewell: "I enjoyed some aspects of it, yes - and not all". If he decides to move because he has this option I will not say: "You don't have to go".
    65000 texts later, woman accused of stalking

    65000 texts later, woman accused of stalking

    One of the messages said she would murder him if he ever tried to leave her. "Everybody has to love each other". She was arrested Tuesday after police say she tried to break into the man's home . " I'll kill you.

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.