Hacking, email encryption, PGP, S/MIME | Homeland Security Newswire

HackingVulnerabilities found in PGP-encrypted emails, users urged to take immediate action

Published 14 May 2018

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. These vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. The Electronic Frontier Foundation (EFF) says it has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

The full details of the vulnerability will be published in a paper tomorrow (Tuesday, 15 May, at 3:00 a.m. EST, midnight Pacific).

EFF says that in order to reduce the short-term risk, EFF the researchers have agreed to warn the wider PGP user community in advance of the full publication of the vulnerability.

EFF and the researchers urge users to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

For a detailed discussion of the vulnerability and how to minimize the risk it entails, see Erica Portnoy, Danny O’Brien, and Nate Cardozo, “Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw” (EFF, 14 May 2018).

Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

Users should refer to these guides on how to temporarily disable PGP plug-ins in:

Thunderbird with Enigmail

Apple Mail with GPGTools

Outlook with Gpg4win

EFF notes that these steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community.