Critical vulnerabilities in PGP/GPG and S/MIME email encryption, warn researchers

Efail flaw "might reveal the plaintext of encrypted emails."

Critical vulnerabilities in PGP/GPG and S/MIME email encryption, warn researchers

Update
Full details of the Efail flaw have now been made public ahead of the original schedule. My reading? Not as serious as first mooted, in particular the chances of having your past encrypted emails exposed seem remote.

On Tuesday, a team of researchers are planning to release details of a critical vulnerability which they claim could have serious consequences for internet users who use PGP/GPG to encrypt and decrypt their sensitive email communications.

Details of the threat are currently very sketchy, but the Electronic Freedom Foundation (EFF) says that there is a risk that encrypted messages sent in the past could be exposed through exploitation of the vulnerability:

EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

In fact, users are being advised to stop using and disable the encryption tools immediately in their email client if they use them for sensitive communications.

The EFF appears to have seen the research and has published its own blog post advising users to stop sending and - in particular - decrypting PGP/GPG-encrypted emails until the issues are more widely understood and fixed.

To that end, here are the EFF’s links on how to temporarily disable PGP/GPG encryption plugins on the Thunderbird, Apple Mail, and Outlook email clients:

Without knowing any details of the vulnerability, I might also add that generally disabling HTML email (and using plaintext instead) is a jolly good idea from the security point of view as it can reduce your attack surface considerably. However, I’m also aware that virtually nobody does this.

Of course, if you recognise the need to secure encrypt your communications you probably also understand that resorting to sending and receiving unencrypted email is far from an acceptable solution. For now you may wish to consider your other communication options, including end-to-end encrypted messaging apps such as Signal.

The researchers’ full findings are scheduled to be released at 7:00 am UTC on Tuesday as part of a co-ordinated public disclosure.

Until more details are made public, it’s hard to know just how serious the security issue really is. Hopefully affected vendors have been contacted in advance, so make sure that when the inevitable product updates and mitigation patches are pushed out you install them as quickly as possible.

Further reading: Despite Efail, the sky is not falling

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , , ,

2 Responses

  1. SG

    May 14, 2018 at 2:49 pm #

    Hi Graham/all,

    Any news so far on if PGP products that are not “OpenPGP” are affected? i.e Symantec?

    • Graham Cluley in reply to SG.

      May 14, 2018 at 9:08 pm #

      It’s not really a GPG/PGP problem at all. It’s problem with email client software (and plugins).

      More details at https://www.grahamcluley.com/despite-efail-the-sky-is-not-falling/

Leave a Reply