Critical PGP vulnerability could reveal text of your encrypted business emails

Critical PGP vulnerability could reveal text of your encrypted business emails

Thunderbird users may want to check out our guide Switch Between HTML And Plain Text Emails In Thunderbird to enable plaintext email messages in the client.

'Securely encrypted email remains an important and suitable means of increasing information security, ' it said in a statement, adding that the flaws which have been discovered can be remedied through patches and proper use. On the other hand, S/MIME is used mainly in enterprise infrastructure.

The Electronic Frontier Foundation (EFF - an NOP that defends civil liberties in the digital world) had previously advised to disabling auto-decrypting of PGP by email clients.

A more detailed explanation and analysis will be forthcoming once the research is formally released tomorrow, but the vulnerabilities are thought to affect both PGP and the S/MIME public key encryption standard. They've discovered a critical vulnerability dubbed EFAIL that could allow an attacker to view the contents of encrypted messages in plaintext, including emails that have been sent in the past.

The vulnerability comes in two parts: an HTML exfiltration attack in which a snoop sends the target an email with specially crafted web mark-up language.

"[The researchers] figured out mail clients which don't properly check for decryption errors and also follow links in HTML mails".

The attacker needs to first access encrypted emails, which could have been collected years ago.

The Gnu Privacy Guard (GnuPG) team responded to the EFF's warnings by saying the problem lies with how email clients implement OpenPGP, not with the protocol itself. In case you have been relying on PGP or S/MIME to keep your email safe, then you need to stop using them right away. However, they also call for an updated to OpenPGP and S/MIME standards, so the vulnerabilities can be closed. "This vulnerability might be used to decrypt the contents of encrypted emails sent in the past".

One of the researchers, Sebastian Schinzel, told Süddeutschen Zeitung that "email is no longer a secure communication medium", according to Gizmodo.

In line with all expert cryptographic advice to date, recommends the use of PGP in a number of our core articles. They do note, however, that disabling HTML rendering won't completely stop EFAIL attacks.

The researchers claim that they have disclosed their findings "responsibly" to global computer emergency readiness teams (Certs), GNU PG developers and the affected suppliers, which have applied (or are in the process of applying) countermeasures.

End-to-end encryption is used specifically to secure emails that have been compromised in those manners.

Related Articles