eFail Attack on PGP and S/MIME Encryption

The EFF backed up by security researchers, have issued a warning over PGP and S/MIME encryption. Stop using at least for now to secure your emails.

PGP is widely regarded as the safest way to send secure emails although it does not encrypt metadata and is not the easiest to use.

 

Sebastian Schinzel, Professor of computer security at Münster University of Applied Sciences, on 14 May tweeted: “We’ll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.”

Professor Schinzel is a respected security researcher for having uncovered many cryptographic vulnerabilities. His most notable find was 2016 DROWN attack which rendered 33% of all HTTPS servers in the world at risk.

The Electronic Frontier Association (EFF) has confirmed the vulnerability:
“A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”

It is best to follow the EFF’s advice.

The article then gives links to tutorials on how to disable PGP plug-ins in Thunderbird with Enigmail, Apple Mail with GPGTools, and Outlook with Gpg4win.

There is no mention of removing standalone apps such as Gpg4win or PGP browser add-ons such as Mailvelope.

S/MIME

S/MIME is similar to PGP; the only difference is S/MIME uses predefined encryption standards and public-private critical pairs handed by a trusted authority, whereas PGP users define their own encryption methods and sharing of their private encryption keys.

Closing

You should avoid using PGP and S/MIME to encrypt emails until the issue is entirely fixed.

 

Image credit: By arka38/Shutterstock.

 

Leave a Reply

Your email address will not be published. Required fields are marked *