A "serious" flaw has been found in PGP and S/MIME email encryption

PSA PGP and S  MIME are broken and leaking encrypted emails – stop using them right now

PSA PGP and S MIME are broken and leaking encrypted emails – stop using them right now

According to the Electronic Frontier Foundation, users must look for alternatives to PGP or S/MIME and turn off any software that automatically decrypts email encrypted with PGP.

Security researchers in Europe discovered the security flaws, posting on Twitter about the issue. Email protocol was never built with security in mind.

Whilst most email is sent unencrypted, many businesses and people rely on S/MIME and PGP encrypted email communications to talk in private.

Most details are available over on the official site, but researchers added that Apple Mail, iOS Mail and Mozilla Thunderbird are the worst affected as they have "even more severe implementation flaws allowing direct exfiltration of the plaintext that is technically very easy to execute".

The group of researchers plan to publish their research paper with details about the vulnerability on Tuesday.

"In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs", researchers explained.

In this scenario, attackers send a "changed encrypted email" to the victim.

More news: United States offers to help rebuild North Korea economy
More news: It's not easy to say goodbye, says Wenger
More news: Antonio Conte: I 'wasn't able to convey that determination' to Chelsea players

The target's email client processes the email.

Security researchers have gone public with vulnerabilities in some secure mail apps that can be exploited by miscreants to decrypt intercepted PGP-encrypted messages.

However, Werner Koch, free software developer and author of the GNU Privacy Guard, posted information on Monday which claims the warnings from EFF are "pretty overblown". If it's not, GnuPG returns an alert.

End-to-end encryption is used specifically to secure emails that have been compromised in those manners. That's because EFAIL can be stopped by using authenticated encryption; OpenPGP started to support authenticated encryption in 2001.

Yet others take issue with that line. "At most you can say 'sorry we are a legacy system, no one knew better then, it's time to migrate off'". It is one of the standard encryption program tools used for signing MIME data. However, they also call for an updated to OpenPGP and S/MIME standards, so the vulnerabilities can be closed.

EFF's recommendation: If you use PGP or S/MIME, disable them, and uninstall the tools that decrypt them. "It seems to not be easily reproducible in all cases". Some have criticized the researchers for teasing the vulnerability before publishing their full paper on it, while others have jumped straight to disabling PGP in their email clients. In the meantime, they are recommending that users stop using OpenPGP and S/MIME for now.

Cluley also pointed out that it is not a new problem - the root problem of mail clients attempting to display corrupted S/MIME messages has been known about since 2000.

Recommended News

  • Torra fails first vote to become new Catalonia leader

    Torra fails first vote to become new Catalonia leader

    Torra's election by the regional parliament paves the way for a new government in Catalonia after months of political limbo. He additionally vows to ascertain a constituent meeting to put in writing the structure for a Catalan republic.
    Catalonia's radical separatists clear means for brand spanking new chief

    Catalonia's radical separatists clear means for brand spanking new chief

    Mr Torra also reiterated his openness to dialogue with Madrid , as well as calling on the European Union to oversee negotiations. Separatists won regional elections in December, but fresh polls will be triggered if a new leader is not elected by May 22.
    Four killed, several injured after militants attack Afghanistan finance office

    Four killed, several injured after militants attack Afghanistan finance office

    A gun battle between Afghan security personnel and unidentified gunmen ensued following the explosions. Sounds of heavy and light weapons could be heard from the spot where the attack is taking place.
  • Hamilton on top in crash-hit F1 practice

    Hamilton on top in crash-hit F1 practice

    We didn't have winning pace today, that's why we didn't win. "I am feeling really good in the auto at the moment". Speaking after his victory Hamilton stated that he was pleased with his vehicle and also praised the supporters.
    Digging Up the Facts on The Coca-Cola Company (KO)

    Digging Up the Facts on The Coca-Cola Company (KO)

    Guardian Life Insurance Of America stated it has 0.12% of its capital in The Coca-Cola Company (NYSE:KO). Kayne Anderson Capital Advisors Lp holds 6.47% of its portfolio in ONEOK, Inc. for 9.50 million shares.
    65000 texts later, woman accused of stalking

    65000 texts later, woman accused of stalking

    One of the messages said she would murder him if he ever tried to leave her. "Everybody has to love each other". She was arrested Tuesday after police say she tried to break into the man's home . " I'll kill you.
  • Romney criticizes Jeffress as wrong man to give Jerusalem embassy prayer

    Romney criticizes Jeffress as wrong man to give Jerusalem embassy prayer

    Pastor Robert Jeffress "says he believes all Jews are going to hell", Smith noted, and has uttered similar condemnations of Islam. Israeli soldiers shot and killed dozens Palestinians during mass protests along the Gaza border on Monday.
    Lost asteroid to fly between moon and Earth tonight

    Lost asteroid to fly between moon and Earth tonight

    The asteroid will proceed pretty quickly (30 minutes of arc per second). "Our display will update every five seconds". The planet, called 2010 WC9 , wased initially spotted on November 30, 2010, by the Catalina Skies Study in Arizona .
    Philippine Supreme Court justices oust chief justice

    Philippine Supreme Court justices oust chief justice

    Appointed at age 52, she was supposed to stay in the Supreme Court as chief magistrate for 18 years but lasted less than 6 years. The House still had to vote in the plenary, but made a decision to wait out the results of the Supreme Court vote.
  • American Idol 2018 Recap: Top 3 Contestants Revealed

    American Idol 2018 Recap: Top 3 Contestants Revealed

    Her power worked the crowd, and the judges, just enough for Luke Bryan to even claim Barrett as "Carrie Underwood reincarnated". The ABC singing competition will be in the Steel City on May 15 to film a hometown celebration for finalist Gabby Barrett .
    Did Lingayat minority card backfire on Congress — Postmortem Karnataka polls

    Did Lingayat minority card backfire on Congress — Postmortem Karnataka polls

    Out of 224, elections were held in 222 assembly constituencies on Saturday and the results are scheduled to be declared on May 15. JD (S) chief ministerial candidate HD Kumaraswamy has gone to Singapore, and the reason for his travel could not be ascertained.
    Facebook Is Blocking Foreign Ads Relating to Ireland's Abortion Referendum

    Facebook Is Blocking Foreign Ads Relating to Ireland's Abortion Referendum

    Recent polls show a narrow lead for the campaign to repeal the amendment, although many voters have yet to make up their mind. Mr McIntyre said the decision restricts the ability of a "disproportionately well-funded side" to set the terms of the debate.

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.