Critical vulnerabilities in PGP/GPG and S/MIME email encryption, warn researchers

Graham Cluley

Critical vulnerabilities in PGP/GPG and S/MIME email encryption, warn researchers

Critical vulnerabilities in PGP/GPG and S/MIME email encryption, warn researchers

Update
Full details of the Efail flaw have now been made public ahead of the original schedule. My reading? Not as serious as first mooted, in particular the chances of having your past encrypted emails exposed seem remote.

On Tuesday, a team of researchers are planning to release details of a critical vulnerability which they claim could have serious consequences for internet users who use PGP/GPG to encrypt and decrypt their sensitive email communications.

Details of the threat are currently very sketchy, but the Electronic Freedom Foundation (EFF) says that there is a risk that encrypted messages sent in the past could be exposed through exploitation of the vulnerability:

EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

In fact, users are being advised to stop using and disable the encryption tools immediately in their email client if they use them for sensitive communications.

The EFF appears to have seen the research and has published its own blog post advising users to stop sending and – in particular – decrypting PGP/GPG-encrypted emails until the issues are more widely understood and fixed.

To that end, here are the EFF’s links on how to temporarily disable PGP/GPG encryption plugins on the Thunderbird, Apple Mail, and Outlook email clients:

Without knowing any details of the vulnerability, I might also add that generally disabling HTML email (and using plaintext instead) is a jolly good idea from the security point of view as it can reduce your attack surface considerably. However, I’m also aware that virtually nobody does this.

Of course, if you recognise the need to secure encrypt your communications you probably also understand that resorting to sending and receiving unencrypted email is far from an acceptable solution. For now you may wish to consider your other communication options, including end-to-end encrypted messaging apps such as Signal.

The researchers’ full findings are scheduled to be released at 7:00 am UTC on Tuesday as part of a co-ordinated public disclosure.

Until more details are made public, it’s hard to know just how serious the security issue really is. Hopefully affected vendors have been contacted in advance, so make sure that when the inevitable product updates and mitigation patches are pushed out you install them as quickly as possible.

Further reading: Despite Efail, the sky is not falling

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Critical vulnerabilities in PGP/GPG and S/MIME email encryption, warn researchers”

  1. Hi Graham/all,

    Any news so far on if PGP products that are not "OpenPGP" are affected? i.e Symantec?

    1. It's not really a GPG/PGP problem at all. It's problem with email client software (and plugins).

      More details at https://www.grahamcluley.com/despite-efail-the-sky-is-not-falling/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES